The Golden Rule of Hospitality Loyalty Programs – Know thy Data.

Published on October 21, 2020
Today’s post-pandemic world has turned businesses upside down. The hospitality industry has been particularly hard hit, purportedly losing over $46 billion in room revenue since February1.  These financial losses have taken a real and substantial toll on front line and corporate workers, the Bureau of Labor Statistics reports job losses of 4.8M in hospitality and leisure.

The existential risk to the hospitality industry from the pandemic permeates to the very customers the industry serves. Pre-pandemic, and even today, hotels built their marketing strategies on customer loyalty programs. For instance, Tyler Morse, CEO and managing partner at MCR Development, which owns the TWA Hotel, describes loyalty programs as an “arms race.”2 The reason for this is simple according to David Kong, president and CEO of Best Western Hotels & Resorts; hotels must be focused on acquiring new customers, retaining customers, growing the customer base and reactivating past customers. Kong goes on to state the obvious: a customer data base is key to these objectives.

“If you don’t have a database that you can actually do analytics on, you don’t even know about your customers. So, you can’t even deploy any one of those four strategies. But without a loyalty program to actually give you that database and that promotion platform and the ability to offer the special member rate, how can you compete then?” 3

The “analytics” fueling loyalty programs are, in fact, the “processing” of personally identifiable information gathered by hospitality companies on their customers. These include obvious data points such as customer name, address, phone number, passport numbers, billing information, etc. However, this is just the beginning. In order to maximize profits, hotels must have a robust customer profile to include the individual customer or potential customer’ demographics (age, gender, income etc.), psychographics (personality, preferences, etc.) and their behavior4.

The bottom line is hotels hold treasure troves of personally identifiable information. This critical data flows through property management systems, customer reservation systems, marketing systems, and now the trend is a collection of this data into “data lakes” for the purposes of complex data analytics necessary to target, acquire, and maintain a rich customer base. The goal is to “put heads in beds.”

The unintended consequence of this massive data collection is an increasing targeting of the industry by hackers who see vulnerable and valuable victims. These bad actors look for the richest payload, requiring the least amount of effort to exploit. As history has shown, even the most reputable and profitable hospitality companies have fallen prey to bad actors, time and time again. Traditionally, risk vs. return would prevail and a hacker/group would hit the larger chains which, in theory, would have centralized data stores; however, as tools have been developed along with hacking methodologies it has become almost trivial to replicate attacks irrespective of the size of the actual data store — once again, dismantling the security-by-obscurity paradigm that some of the smaller market participants may have once enjoyed.

As mentioned above, the hospitality industry has already experienced multiple high-profile breaches. If we examine this from a purely financial perspective, we see that the cost of a data breach can be easily quantified. On average, across industries, businesses estimate the cost of a data breach to be approximately $150/record. Taken at its face, this may seem tenable, however if you extrapolate that and multiply by thousands of potentially breached records, the costs quickly reach astronomical proportions.

Unfortunately, direct financial losses are typically just the beginning of a breach fallout. One other key aspect is the growing media attention. Yet another impact of this pandemic is the lack of non-pandemic related newsworthy events. While a hack or data breach would certainly have garnered attention, now as the number of reportable events declines, it is entirely possible that data privacy breaches will receive even greater media attention. As this industry is painfully aware, the initial cost of the breach is magnified as media coverage descends and proliferates the negative messaging to consumers across the globe.

Therein lies the existential threat to the business – consumer trust. The reality is, customer loyalty programs are based on trust; a consumer’s trust that she is receiving a valuable service for her money and that her data, and thus privacy, is being adequately protected. As the market has contracted considerably and consumers grow more cognizant of how and why their data is collected and analyzed, the actual cost of a data breach in terms of long-term business impact is anything but trivial. Consumer brand loyalty is vitally important to businesses in general, but specifically to the hospitality sector as hotels gather and process intimate private details on their customers in an effort to provide the “personalized room experience.” Few sectors have experienced the impact of COVID-19 as keenly as this sector and for some, consumer trust and loyalty has been a saving grace (for instance, the emergence of the “clean room” and the consumers blind trust in this product). Participants within this sector are going to need to prioritize data privacy practices as a major data breach could prove disastrous as the global economy begins its slow recovery.

There is little doubt that protecting customer data security and privacy is a herculean task in this new economic environment. The traditional hospitality threat attack surfaces such as: data servers sitting around the world, the multitude of applications, and the desperate, and often times, outdated IT systems used to operate hospitality businesses are further exposed by the profound economic pressures facing hospitality. There have been massive furloughs and layoffs of highly skilled security and privacy professionals in the industry leaving already vulnerable data systems ever more exposed to bad actors or even more prone to human error.


ADVISORI can help.

Fundamental to an effective data protection program is a full and comprehensive understanding of where customer personally identifiable information is collected, stored, transmitted, archived, and discarded.


First, we help with identifying and labeling all data stores on the network. We initiate this process by distributing automated surveys to all relevant stakeholders, e.g., data store managers, data governance team members, etc.

[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]
[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]

We then use our automated network scanning tools to confirm our survey results.

Once we have identified all relevant data bases, we scan each to identify and classify the data content.

[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]
[siteorigin_widget class=”SiteOrigin_Widget_Image_Widget”][/siteorigin_widget]

From here, we are able to assist our clients with risk mitigation strategies. For instance, data classification and storage strategies, data governance methodologies and best practices, privacy by default (deleting data that is no longer necessary) and data security strategies.

To learn more about how ADVISORI can help, please visit

[3] Id.