Close this search box.
Close this search box.

Marriott Models How To Handle A Hacking Attack

A massive data breach revealed today tested the character of Marriott hotels this week – and it came through in flying colors.

marriottYes, bad things happen to good companies and that is what happened to Marriott. Marriott is regularly celebrated as the finest international hotel chain with brands such as St. Regis; Ritz Carlton, JW Marriot, Sheraton, W, Weston, Courtyard and several dozen others. Its glistening brands are also matched by a reputation for execution efficiency and reliability. However, the recently revealed massive data breach tested that enterprise character – and it came through in flying colors.

Yes, the attack on part of Marriott’s systems jeopardized the private information of as many as 500 million customers, The customer data was carried in the Starwood Hotel frequent traveler system through its acquisition by Marriott in 2016. This hacking is second in size only to the Yahoo! data attacks in 2013 and 2014 of roughly 3 billion users. The company announced that an unauthorized party had been tapping into the database since 2014, revealing email addresses, passport numbers, payment information and travel preferences. Unlike the 2017 Equifax breach of 148 million people, it is believed that social security numbers were not accessed. Also, unlike the large data breaches at Equifax, Facebook in 2018 (50 million), Target in 2013 (40 million people), the company did not deflect, deny, or delay for months after the detected breach.

Instead, mindful of the new General Data Protection Regulation (GPDR) requirements in the EU, Marriott moved quickly. On September 8, the company discovered an intrusion had taken place and quickly went to work on investigating, but the hackers managed to conceal the precise nature of their theft through creating their own encryption of the purloined data while removing it. Thus, it was harder for Marriott to figure out what had been taken and who was victimized.

By November 19, Marriott was able to define what was stolen and then spend the next few days assembling a communication process through the Thanksgiving holiday, which included setting up a call center and a website to answer all questions from affected guests. Furthermore, after identifying an estimated 327 victims, the company allowed for a possible 500 million to avoid the slow drip of bad news unfolding at those other hacked firms. This response was accomplished in a week with the company giving its notification seven days after the breach was identified.

Marriott CEO Arne Sorenson, instead of hiding behind attorneys, came forward stating “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned be bet better moving forward.”

One of those lessons may be to make even faster public alerts after learning of such breaches, as now the GPDR requirements are for notification roughly three days after detection. Another may be to ensure elevated encryption of names, addresses and phone numbers, underlying credit card encryption keys.

This was not a case of incompetence. The CIO of the acquired Starwood unit, Martha Poulter, was the very highly-regarded previous CIO of GE Capital, and the company had made substantial investments in this field. Similarly, the chief information security officer through the data breaches at Yahoo! and Facebook was the same top-rated security superstar, Alex Stamos. Yet perhaps elevated privacy regulation in the U.S. would make it easier for CEOs to justify much larger expenditures on data security, given the centrality of such information to global commerce and the growing sophistication of Russian and other cyber-villains.

In a bold statement just last week, IBM CEO Ginni Rometty called for government action, stating, “In regulating tech, the government needs to focus on fixing the real problem …Tackling the real problem means using a regulatory scalpel, not a sledgehammer, to avoid collateral damage that would hurt the wider, productive and more responsible parts of the digital economy.”

As the European Union thinks about these issues, I would urge a focus on specifics, such as: 1) AI transparency and explainability and, 2) dominant platform liability. Additionally, e-commerce legislation, including the EU’s e-commerce directive, must be re-opened to consider new measures of liability. This is the first time a major tech CEO has called for specific regulations on AI transparency and liability. It’s no longer a case of IF there will be regulation, but when.

The stock bounce back of other hacked firms suggest that highly-profitable Marriott’s 5% stock hit is no cause for panic, but their responsible reaction is not cause for celebration either, given the risk to the public which remains. As Nietzsche reminded us, “What does not kill me makes me stronger.”

RelatedMichael Chertoff: Big Nanny Is Watching You


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.