Marriott CEO says hotels aren't a national security target, but experts beg to differ

Key Points
  • Marriott CEO Arne Sorenson, in a CNBC interview at the World Economic Forum meeting in Davos, offers further clarity on what the company is doing to respond to a breach of data announced in November.
  • The company says the attack affected 383 million customers and included 5.25 million unencrypted passport numbers.
  • Despite many experts attributing the cyberattack to China, Sorenson says the hospitality industry is not "going to be in anybody's crosshairs."
Arne Sorenson
Adam Galica | CNBC

Marriott CEO Arne Sorenson said Tuesday he doesn't think the company is "going to be in anybody's crosshairs" when it comes to national security concerns, but experts have pointed to China as the likely culprit for the company's cybersecurity breach that affected over 300 million customers.

Sorenson's interview with CNBC at the World Economic Forum in Davos, Switzerland, comes a few months after the company disclosed a massive hack that affected up to 383 million people and included 5.25 million unencrypted passport numbers. Marriott originally said up to 500 million customers were affected by the breach, but revised the number down a few weeks later.

Experts have told several outlets, including The New York Times and The Washington Post, that the hospitality industry is a top nation-state target, and the Marriott breach specifically was likely carried out as an intelligence-gathering effort by China's Ministry of State Security.

Sorenson made the statement Tuesday while addressing increasing tensions with China over trade and legal issues.

"The China story, of course, is a little bit complicated, because we've got the trade and we've got a number of very high-profile events that have happened," Sorenson said. "The China story is still a very constructive one in the travel space. We're not in a business that is super sensitive from a national security perspective. And I don't think we're going to be in anybody's crosshairs."

Mariott's response to the data breach

Sorenson and Marriott also outlined changes they have made to respond to the breach, including focusing on encryption and phasing out old customer databases that were managed separately under the Starwood brand. Starwood was acquired by Marriott in 2016 for $13 billion. It was Starwood's legacy databases that housed the stolen, unencrypted passport information, according to a company spokesperson.

Marriott has since phased out reservation databases belonging to Starwood and moved all reservation information under management in Marriott databases, a project that was completed "at the end of 2018," according to a company spokesperson.

Sorenson discussed the company's future encryption plans, saying Marriott would encrypt passport information when storing it in the future.

"We have got to get it encrypted, and we have to make sure that people have the confidence that the data that we keep is going to be kept only because we need to use it," Sorenson said. "We need to use it in a way that delivers ease and value to you. That's where we've got to get, and we're working as quickly as we can."

Clarifying the company's plans for encryption, a spokesperson said Marriott is "looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities."

WATCH: Marriott International CEO on hacking: We knew we had to be transparent

Marriott International CEO on hacking: We knew we had to be transparent