Marriott International Inc.’s disclosure last week of a massive data breach illustrates the potential vulnerability of the hospitality sector, which plays host to mountains of personal information via hotel bookings and loyalty programs, experts say. 

Already the target of past cyberattacks, hotels should ensure they have consistently high levels of security throughout their franchises and conduct cyber due diligence prior to mergers and acquisitions, they say.

Bethesda, Maryland-based Marriott said Nov. 30 that hackers accessed up to 500 million customer records in its Starwood Hotel unit’s reservation system in an attack that began four years ago, prior to Marriott’s ownership of the brand, exposing data including passport numbers and payment cards. The hotel chain said it buys cyber insurance coverage but it is too early to estimate the financial impact of the breach.

Hackers see hotels as a rich source of personal information, said Ryan T. Becker, a partner with Fox Rothschild LLP in Philadelphia.

“Generally speaking, the reason that the hospitality firms probably get more attention than others is because of the amount of information they collect from their guests when they check in,” he said.

Typically, guests provide credit card information, a driver’s license and, if they are travelling internationally, a passport at check in, Mr. Becker said.

Payment information remains a prime target for hackers, said Scott N. Godes, a partner with Barnes & Thornburg LLP in Washington. 

“Ultimately, the criminals are looking for places in which they can get ahold of the largest number of valuable records possible,” he said.

Under their loyalty programs, hotels have “spent decades gathering personal information,” which “makes them a huge target,” said Devin J. Chwastyk, chair of the privacy & data security group at McNees, Wallace & Nurick LLC in Harrisburg, Pennsylvania.

In addition, hotel breach costs tend to be more expensive because “the hospitality industry has already attracted a fair amount of attention” from the Federal Trade Commission on the Wyndham case.

The FTC had charged Parsippany, New Jersey-based Wyndham Worldwide Corp. in its 2012 lawsuit with failing to properly safeguard consumer information held by its hotels, allowing intruders to gain unauthorized access to its computer network three times between April 2008 and January 2010.

The consent decree in that case states what firms need to do to protect hotel information and provides “a road map for the plaintiff attorney who wants to argue the hotel was not doing what it should have done,” said Mr. Chwastyk.

In addition, “The reputational harm for these kinds of incidents is more substantial,” he said. “These companies have a vested interest in trying to placate their valued repeat customers,” which could inflate the cost of a monetary settlement.

Hotels “have a very high transaction volume,” said Stephen J. Newman, an attorney with Stroock & Stroock & Lavan. “Part of it is because they have a lot of locations that are potentially areas of attack, and part of it is you have a lot of employees who are handling credit cards, and it’s very difficult to make sure every employee is fully trained on security matters.”

Hospitality firms “need to make sure, no matter where in the world you are, your training is at the level that’s comparable to your most developed operations,” he said.

In addition, criminal hackers “know that the hospitality industry has not paid enough attention to cybersecurity, so they are easier targets in that sense,” said Raj Chaudhary a Chicago-based principal with Crowe LLP, public accounting, consulting, and technology firm.

Adam Cottini, managing director of insurance and risk management in North America at Arthur J. Gallagher & Co. in New York, said new regulations, including the European Union's General Data Protection Regulation, have broadened the definition of what is considered personally identifiable information.

Before its 2016 acquisition by Marriott, Starwood Hotels & Resorts Worldwide Inc. said in November 2015 that the point of sale systems at 26 of its hotels in the United States and Canada were infected with malware, which permitted access to some of its customers’ payment card data for various periods between November 2014 and June 2015.

The situation raises the question of whether the due diligence conducted before the acquisition “was as comprehensive as it should have been,” which is unknown, said Peter Taffae, a D&O liability insurance expert at Los Angeles-based wholesale brokerage Executive Perils Inc.

“I also think it is very hard, if not impossible, to quantify that risk,” he said.

“(Marriott) should have done a better job of monitoring for losses,” said Joshua B. Bevitz, a partner with Newmeyer & Dillion LLP in Walnut Creek, California.

Experts said the breach will raise questions about the adequacy of investigations concerning cybersecurity prior to mergers and acquisitions.

“This is becoming a pretty big topic of conversation” and “is going to be the next wave of discussion” for M&A activity, Mr. Cottini said.