by Cheryl-Anne Sturken | April 6, 2011

It was no April Fool's joke. But on April 1, Irving, Texas-based online marketer Epsilon issued a statement notifying clients that because of an "unauthorized entry" into its e-mail system on March 30, the names and e-mail addresses of potentially millions of customers had been exposed in the security breach. Among the 50 corporate clients hit were two major hotel chains, Marriott International and Hilton Hotels Corp., which immediately issued statements assuring customers that no sensitive information (such as credit card numbers, passwords or personal data) had been compromised.

Ironically, just two weeks earlier, three major hotel associations -- the American Hotel & Lodging Association, Hospitality Financial and Technology Professionals and Hotel Technology Next Generation (HTNG) -- had issued a joint statement urging properties to take action to protect themselves from cyber attacks. "Our decision to address this jointly is directly related to the magnitude of the threat," said Joe McInerney, chief executive officer of Washington, D.C.-based AH&LA, in the statement. In stressing the potential for theft, the associations warned that cyber criminals are aggressively attacking systems that store credit card data, and that evidence gathered by security departments at hotel groups around the world "leave little doubt that the attacks on hotels are highly targeted and effective."

While the Epsilon hacking was not directed solely at hotels, it reinforces just how vulnerable hotels are because of the sheer volume of data they collect and store, particularly from point-of-sale purchases. For example, in February 2010, the Westin Bonaventure Hotel & Suites in Los Angeles and Wyndham Hotels and Resorts both reported they were victims of a security breach that compromised guests' data (this was the second time Wyndham's computer system had been penetrated). And in June 2010, Englewood, Colo.-based Destination Hotels & Resorts reported that guests at 21 of its properties had been subject to credit card theft. Last month, at HTNG's annual conference held in San Diego, IT leaders from several hotel companies, including Marriott, Hyatt Hotels Corp. and Starwood Hotels & Resorts Worldwide, called for tighter security control of guest data. In fact, Todd Thompson, chief information officer for Starwood, speaking at a CIO panel, said that fully 50 percent of his time was spent on data security.

Exactly how vulnerable are hotels? According to Chicago-based data security company Trustwave, hotels are the number-one hacking target. In its February 2010 report, Trustwave's SpiderLabs said of the 218 breaches it had studied across 24 countries, 38 percent involved attacks on hotels, and it took an average of 156 days for a security breach to be identified. "Credit card crime is the top issue for hotel-company chief information officers today, but they can't address it effectively without the help of every general manager and controller," said Douglas  Rice, HTNG's chief executive officer. That's because even though the chains may provide network security for every hotel in their portfolio globally, security controls must be implemented on the front lines at the individual property level to be truly effective.

A sobering consideration for meeting planners: For your next pre-con meeting and contract, you just might want to consider adding "data security" as a line item.