Data Security Best Practices
In today’s world, cyber-security is more important than ever before. Hackers and cyber-criminals are becoming more sophisticated and as a result, it is important for hotels to refresh their cyber-security strategies to address the rapidly-evolving business needs and threats. Marriott has developed tips and best practices for hotels to help minimize risk, and these resources will be shared with hotels via the June 29 Weekly Update. In an effort to protect guest, employee and company information, we encourage you to reinforce the importance of this information with hotel employees to create awareness and to avoid data and/or system breaches.
Protect Hotel Guests – Stay Alert for Suspicious Inquiries
Hotels have seen a recent increase in scammers posing as hotel employees or vendor representatives, requesting information from guests or hotel employees under false pretenses to obtain financial information, such as credit card numbers, or access to property systems. In an increasingly aggressive and technically-advanced society, we must ensure the safety and security of company and customer information.
The scenarios below are “real life” situations that recently occurred at Marriott-branded hotels and were reported to the Security/Privacy team.
|
Scenario |
Response |
|
Someone calls the Bistro claiming to be from Marriott Technical Support and needing to verify transaction information related to recent Bistro purchases. They ask for guest names, room numbers, Marriott Rewards membership level, ticket number, the exact items purchased, and total amount (including tips). After obtaining that information, they then call the guest’s room informing them that they are receiving a free breakfast from the hotel and all they need is their credit card information to process the refund. |
The Marriott Service Desk – or Marriott Technical support – will NEVER ask for guest information and hotels must NEVER comply with these requests.
|
|
Someone emails stating they are from Marriott International Headquarters asking the hotel to send the coming month’s credit card authorization forms. |
Marriott will NEVER ask for this information and hotels must NEVER comply with this request. |
|
Someone calls or emails the hotel impersonating a Marriott employee (e.g., Marriott Service Desk, Marriott.com) or service provider (e.g., MICROS/Oracle) requesting an ID and Password to gain access to either the property computer systems or the Global Point of Sale Systems (i.e., system ID and/or password). |
The Marriott Service Desk and iT Service Providers will NEVER ask for IDs and passwords to gain access to company systems, and this information must NEVER be shared with any individual or organization. |
|
Someone calls room service stating they’re from the accounting department. They ask if there are any “open checks” because there are credit issues with some guest accounts and they need the guest names and room numbers to clear out the exceptions. The caller then calls the guest room and tells the guest the front desk system is down and they need them to provide their credit card information over the phone. |
NEVER give out guest information to anyone.
|
It is imperative that hotel employees do not comply with these requests, and immediately report any suspicious inquiries to their management teams.
Property-level employees are encouraged to keep these points in mind if they receive a suspicious calls or emails:
- Always verify the identity of the person requesting information, regardless of how the request is made – in person, by phone or via email.
- Do not assume the person requesting information is authorized to have it.
- Never share guest, employee or company information unless the requestor has been verified and hotel management has been notified of the inquiry.
- Do not allow callers to dial directly to a guest’s room. This goes against Marriott Corporate policy. Click here for details of how to disable the Auto-Attendant feature on your hotel’s phone system.
- Never transfer callers by room number only. This goes against Marriott Corporate policy. The caller must have the first and last name of the person staying in the room requested.
Marriott continuously assesses the security measures in place to protect Marriott International systems and information (including that of guests and employees), while scammers continue to create new ways to obtain information they should not have. Awareness and action to identify these suspect activities is critical to ensuring the overall security of your hotel’s information and assets.
Review additional details regarding how to recognize suspicious inquiries and activities on Marriott Global Source (MGS), keyword search “Security Awareness.” Questions can be sent directly to Marriott Security.