When a vendor holding a hotel’s guest data is breached, the hotel did not fail to protect anything directly โ and regulators have made clear that this distinction does not matter.
Hotels have spent the last two years hardening staff-facing defenses against phishing and watching OTA extranet fraud drain revenue through chargebacks. Both are real. But a growing share of guest data exposure now originates somewhere neither the front desk nor the revenue team controls directly: the property management system, point-of-sale platform, and CRM tools that hold reservation history, contact details, and โ in a smaller but consequential number of cases โ payment and identity data, all managed by a vendor the hotel selected but does not operate. When that vendor is breached, the guest experiences it as a hotel data breach. Regulators, in most cases, treat it the same way.
The commercial and compliance reality is that outsourcing the system does not outsource the liability. A hotel that never touches the servers where guest data sits can still be the party a regulator fines, the party a guest sues, and the party whose name appears in the breach notification โ because under both GDPR and U.S. enforcement precedent, the hotel typically remains the data controller regardless of who built or hosts the software.
Table of Contents
1. The Vendor Perimeter: Where Guest Data Actually Lives
A modern hotel’s guest data footprint rarely sits in one place. Reservation and identity data lives in the PMS. Payment card data moves through the POS and payment gateway. Marketing and preference data sits in a CRM. Loyalty and stay-history data may live in a fourth system entirely. Each of these is typically a third-party platform, cloud-hosted, managed by a vendor whose own security posture the hotel did not build and, in most cases, cannot independently audit in any meaningful depth.
This is architecturally different from the OTA exposure this series has already covered. An OTA account takeover compromises a channel the hotel logs into. A PMS, POS, or CRM vendor breach compromises a system the hotel’s entire operation depends on for daily function โ and one where the vendor, not the hotel, controls patching cadence, cloud configuration, and employee access hygiene. Guest data at this layer includes categories an OTA breach typically does not touch: internal financial records, shift audits, identification documents, and full reservation histories spanning years rather than a single booking.
The scale of this exposure is structural, not incidental. Verizon’s 2025 Data Breach Investigations Report found that credential abuse and vulnerability exploitation remain the two leading initial access vectors industry-wide, with vulnerability exploitation climbing sharply year-over-year โ and both vectors increasingly hit the vendor layer rather than the hotel’s own network, because that is where the exploitable surface area now concentrates. The Identity Theft Resource Center recorded that the number of organizations affected by supply chain breaches more than tripled in the first quarter of 2024 compared to the same period the prior year โ a trend line that has continued into hospitality specifically.
What to watch: The IBM Cost of a Data Breach Report 2025 found that while the global average breach cost declined to $4.44 million, hospitality was among the sectors where costs rose year-over-year, and 76% of organizations took more than 100 days to fully recover. For a hotel whose exposure originates in a vendor’s environment, that recovery timeline is largely outside the hotel’s own control โ the property is dependent on the vendor’s forensic process, disclosure timeline, and remediation pace, while still owning the guest-facing consequences.
2. The Otelier Breach: What a Single Vendor Compromise Actually Costs
The clearest illustration of vendor-layer exposure in hospitality is the Otelier breach disclosed in January 2025. Otelier, a cloud-based hotel operations platform serving more than 10,000 properties worldwide and used by Marriott, Hilton, Hyatt, and Wyndham among others, was compromised between July and October 2024 after attackers used malware to steal an employee’s credentials. Those credentials granted access to Otelier’s Atlassian server, which in turn contained access keys to the company’s Amazon S3 cloud storage. From there, the attackers exfiltrated approximately 7.8 terabytes of data over three months before being detected.
The data taken was not limited to guest contact details. It included nightly hotel reports, shift audits, internal accounting records, and โ in a smaller number of cases โ partial credit card data. Have I Been Pwned catalogued roughly 437,000 unique guest email addresses from the breach, with an additional 868,000 OTA-generated addresses identified but not separately loaded into the public database. No hotel chain’s own systems were breached; Marriott, Hilton, and Hyatt each confirmed the intrusion occurred entirely within Otelier’s environment and suspended automated services with the vendor while the investigation proceeded.
The reputational mechanics of the incident are the part that matters most for property-level operators. The attackers, reviewing the data they had taken, initially believed the S3 buckets belonged directly to Marriott and attempted to extort the chain before realizing their mistake. That confusion is instructive: from the outside, a vendor’s infrastructure and a hotel brand’s infrastructure are functionally indistinguishable, and guests draw no meaningful distinction either. When a guest receives a breach notification referencing their hotel stay, the brand absorbs the trust cost regardless of which entity’s servers were actually compromised.
What to watch: The Otelier breach was not the last hospitality vendor incident of its kind. BWH Hotels โ the parent of Best Western, WorldHotels, and SureStay, with more than 53 million loyalty members across 4,500-plus properties โ disclosed in mid-2026 that a threat actor had access to a reservation-data web application for over six months, from October 2025 to April 2026, before detection. Names, email addresses, phone numbers, home addresses, and reservation details were exposed; the company noted payment data was not stored in the affected system. Two major, separately caused vendor-layer or platform-layer incidents at large hotel groups within roughly eighteen months is evidence of a recurring exposure category, not an isolated event.
3. The GDPR Processor Trap: Why “It Was the Vendor” Is Not a Defense
Under GDPR, the hotel is almost always the data controller for its guest data โ the entity that determines why guest information is collected and how it will be used โ while the PMS, POS, or CRM vendor is the data processor, acting on the hotel’s instructions under Article 28. That framework was designed to create accountability, and it does: but the accountability it creates runs primarily toward the controller, not the processor.
Article 82 establishes joint and several liability where both a controller and processor share responsibility for the same harm โ meaning an affected guest, or a regulator, can pursue the hotel for the full scope of damage even where the technical failure occurred entirely inside the vendor’s systems. The hotel can subsequently seek to recover its proportionate share from the vendor, but that recovery process is a separate, often lengthy commercial and legal dispute that happens after the hotel has already absorbed the regulatory and reputational cost. The Court of Justice of the EU has further confirmed that a controller can be fined for unlawful processing carried out by its processor, on the basis that the controller remains responsible for processing performed on its behalf โ with the narrow exception of cases where the processor acted entirely outside the controller’s documented instructions.
This is not a theoretical reading of the regulation. Article 28 violations โ including an inadequate or missing Data Processing Agreement โ sit in GDPR’s lower enforcement tier but still carry fines of up to โฌ10 million or 2% of global annual turnover, whichever is higher. Controller-level violations, which is the position most hotels occupy by default, sit in the higher tier: up to โฌ20 million or 4% of global turnover.
What to watch: A processor that steps outside its instructions and begins determining its own purposes for the data โ for example, a PMS vendor that uses guest booking data for its own product analytics or resells aggregated data without explicit authorization โ becomes a controller in its own right under Article 28(10), and inherits the associated liability. Hotels rarely audit vendor contracts closely enough to know whether this line has already been crossed in their own tech stack.
4. The Marriott Precedent: What Regulators Now Expect From Vendor Oversight
The FTC’s settlement with Marriott and Starwood, finalized in December 2024, is the clearest signal available of how U.S. regulators now expect hotel groups to manage vendor and franchisee data risk โ and it was not primarily about the vendor at all. The underlying breaches, which occurred between 2014 and 2020 and affected more than 344 million customers worldwide, were substantially a function of Marriott’s 2016 acquisition of Starwood and the security gaps in the network it inherited. The FTC’s complaint alleged failures in password controls, access controls, network segmentation, software patching, and multi-factor authentication โ the same categories of failure that recur across nearly every third-party vendor breach in this sector.
The consent order’s terms are unusually prescriptive and run for 20 years. Marriott must implement a comprehensive information security program and certify compliance to the FTC annually for two decades, undergo an independent third-party security assessment every two years, adopt a data minimization policy with documented justification for retained data, and give U.S. customers a mechanism to request deletion of their personal information. Separately, Marriott paid $52 million to 49 state attorneys general and the District of Columbia. Critically, the order also requires Marriott to establish protocols giving it increased oversight over the vendors and franchisees that access or receive guest data on its behalf โ a direct regulatory acknowledgment that the chain’s exposure runs through its extended technology and franchise ecosystem, not just its own servers.
For independent and franchised properties without Marriott’s scale, the practical read is not that this specific order applies to them โ it does not โ but that it establishes the standard against which “reasonable security” is now measured industry-wide when a regulator evaluates a breach involving guest data, including breaches that trace back to a vendor. A property that cannot demonstrate vendor due diligence, a documented data processing agreement, and some form of ongoing oversight is in a materially weaker position than one that can, regardless of where the actual intrusion occurred.
What to watch: The Marriott order’s loyalty-account provision is notable in its own right โ the company must provide a mechanism for members to report unauthorized loyalty activity and restore stolen points. Combined with Hilton’s and Marriott’s own 2025 policy updates on loyalty fraud liability, discussed elsewhere in this series, the direction of regulatory and brand-level travel is toward hotel groups bearing restitution responsibility for fraud and data exposure that originates well outside their direct control.
5. The Contract Gap: Where Data Processing Agreements Fail in Practice
Article 28 requires that any DPA between a hotel and its PMS, POS, or CRM vendor specify the subject matter, duration, nature, and purpose of processing, the categories of data and data subjects involved, and the vendor’s security obligations โ including restrictions on sub-processors and a requirement to assist the hotel with breach notification and guest data-rights requests. In practice, many of these agreements are signed once at vendor onboarding, rarely revisited, and rarely tested against what the vendor’s engineering team is actually doing with the data years later.
The gap most commonly missed is sub-processor visibility. A PMS vendor’s own cloud infrastructure provider, analytics tool, or support platform is a sub-processor under the hotel’s data chain, and Article 28(4) requires the same protections to flow down through that chain โ with the original vendor remaining fully liable to the hotel if a sub-processor fails. The Otelier breach illustrates why this matters operationally as much as legally: the exposure ran through Otelier’s own use of Atlassian and AWS, two sub-processors sitting beneath the primary vendor relationship that most hotel clients would never have separately vetted or even been aware of.
Liability caps are the second recurring gap. Vendor-drafted contracts frequently cap the vendor’s liability at a low multiple of the annual contract value โ a figure that bears no relationship to the regulatory fine or guest litigation exposure a hotel could face if that vendor’s failure triggers a controller-level GDPR violation or a U.S. state attorney general inquiry. Without an uncapped or high-ceiling indemnity specific to data protection failures, the hotel is contractually exposed to absorb a cost the vendor was never actually on the hook to help cover.
What to watch: PCI DSS 4.0.1, fully in effect since March 2025, has shifted from point-in-time compliance checks toward continuous security outcomes and places explicit responsibility on the merchant โ the hotel โ to ensure that controls remain effective across payment systems, booking platforms, and third-party vendors throughout the year, not just at audit time. For properties treating vendor security as a one-time procurement decision rather than an ongoing oversight function, that shift converts an occasional compliance exercise into a standing operational requirement.
Data Source
- BleepingComputer, “Otelier data breach exposes info, hotel reservations of millions,” January 2025. Named cybersecurity news outlet. Original reporting on the breach timeline, attack chain via Atlassian and AWS S3, and confirmation from Marriott.
- Infosecurity Magazine, “Hotel Guest Data Exposed After Otelier Breach,” January 2025. Confirms Have I Been Pwned’s cataloguing of approximately 437,000 unique email addresses from the breach dataset.
- Cybernews, “Best Western parent warns guest data exposed after 6-month reservation system breach,” 2026. Reporting on the BWH Hotels breach notification, exposure window, and data categories affected.
- Federal Trade Commission, “FTC Finalizes Order with Marriott and Starwood,” December 2024. Official FTC press release and consent order terms.
- Alston & Bird, “FTC and State AGs Settle with Marriott over Starwood Data Breaches,” October 2024. Law firm advisory detailing the vendor and franchisee oversight provisions within the consent order.
- Debevoise Data Blog, “FTC’s Consent Order Against Marriott: Expectations for Reasonable Security,” January 2025. Legal analysis of the 20-year term, biennial assessment requirement, and the parallel $52 million state AG settlement.
- LegalClarity, “GDPR Article 28: Processor Obligations and DPA Requirements,” 2026. Legal reference summarizing Article 28 and Article 82 joint-and-several liability provisions and applicable fine tiers.
- IAPP, “The CJEU rules on the liability of controllers,” 2024. International Association of Privacy Professionals. Summarizes the CJEU ruling on controller liability for processor wrongdoing.
- HOTELSMag.com, “What small hotels need to know about cybersecurity in 2026,” 2026. Trade publication citing Verizon’s 2025 DBIR and IBM’s Cost of a Data Breach Report 2025 findings for the hospitality sector, and PCI DSS 4.0.1 requirements.
- Venza, “Otelier Data Breach: Hotelier Impact,” January 2025. Hospitality security vendor analysis citing the Identity Theft Resource Center’s finding that supply chain breach volume more than tripled in Q1 2024 versus Q1 2023.










