Business Treaveler logo

Travel news, reviews and intel for high-flyers

Marriott Data Hackers ‘will never be known,’ Sorenson Says

Marriott CEO notes the breach occurred before and was unrelated to the complex merger of loyalty programs

Arne Sorenson, CEO of Marriott, has said that he believes that the company “will never know who the actor was” behind the data hack, which the company has been battling for the last three months.

In an interview at the company headquarters in Bethesda, Sorenson said that while he had seen that others have externally speculated on who might have been responsible, “…what information they are relying on I don’t know. And we’re not necessarily convinced that anyone knows exactly what happened”.

The data hack was discovered in November 2018 and related to information held by Starwood hotels. Marriott merged with Starwood in 2016.  It was discovered by the company in November 2018 that millions of passports numbers that were stolen by hackers were unencrypted.

The hack was seen as one of several attacks against a number of US sites including government ones to obtain health care data and other personal information. Rather than addressing the possibility of state-sponsored hacking, Sorenson instead talked about the overall challenges of the merger, and the moves made to address customer concerns particularly with regard to problems with Marriott Rewards, soon to be called Marriott Bonvoy).

“On the day of close [of the deal] we linked the two loyalty programs so customers could link two accounts in two separate portfolios and I think customers were surprised we did that and gave us a lot of credit for it,” Sorensen said.  “In the Fall of 2018, we merged the loyalty programs, and that was harder and messier.  “We transferred four billion customer records from the legacy Starwood side to the Marriott side. Our team loves to say we got 99.9 per cent of those right, but that still leaves four million records that were not right.”

It’s these failures (and others) that have frustrated many frequent travelers, as proven by vocal criticism from the points blogs – see The Points Guy for recent issues.

Sorenson said that this is “…an indication that there was so much information that had to move and so many connectivity points in the ways that customers interact with us in hotels and reservation centers and so we had to work through it. The months of September, October and November were very time consuming for the property teams learning 17 new systems that looked different and had different functionality while still serving customers. That process is going well but it is not full stable and we will need more time to work out the kinks.”

Sorenson said that “In the midst of that we had a cyber event which is not really an integration problem.”  The reason for this not being an integration problem is that the hack occurred before the merger, but was only discovered in November 2018. Sorenson says that the hack and its implication “…will have its own life cycle here and Europe and other markets around the world.”

In the interview, he then detailed the time line and what the company did and why.

“We announced November 30, 2018. It was roughly two weeks after we discovered the information had been taken. We thought we have got to get out and tell our customers what happened as quickly as we can. So, during those two weeks we were trying to figure out as much as we could in order to tell somebody. We knew when we went out on November 30 there was still a lot we didn’t know, which was a little bit frustrating because you’d like to have a more solid view of the facts before you start explaining things externally. But we thought we had to be transparent with our customers. Our philosophy about this is we’re in the business for the long term, we don’t really care about the short-term consequences – I’m over-stating that a little bit. But we wanted to make sure we preserve the relationship we have with our customers in the long term, so let’s get out quickly.

“We then spent the months of December and January continuing to work the facts and made another disclosure in January.  By that point [we] were able to shrink the size of the problem a little bit both in terms of the number of customer records that had been accessed, and, you never know anything for certain with these things because you are recreating what happened in the first place, but reasonably certain that no payment card information was obtained in an unencrypted format, and the number of passports that were obtained in an unencrypted format was a much smaller number than the number that appeared to be the case in November, which shrunk the problem a little bit, but it’s still a big issue which will require us to work with regulators and governments and lawsuits for some time to come.”

Sorenson, however, was clear that “We will never know who the actor was. We don’t have the expertise and I don’t think we have the tools to figure that out. There have obviously been people externally who have speculated and what information they are relying on I don’t know and we’re not necessarily convinced that anyone knows exactly what happened.”

As regards the merger, Sorenson said “We still feel incredibly enthusiastic, stronger than we could have done alone by either company greater breadth of choice, a stronger loyalty program and drive our share our wallet.”  As evidence of the success, he also pointed out there “We signed 816 new hotel deals in 2018, and so have almost half a million hotel rooms in our pipeline that have not yet opened, and that includes 200 luxury hotels. None of our competitors have anything like that in terms of distribution.”