Marriott Breach Exposes Far More Than Just Data
By David Volodzko, FORBES
December 4, 2018
Marriott International's astonishing data breach, exposing up to half a billion guests, has revealed yet another American pressure point that's incredibly sensitive to digital attack — not only must we better defend where we vote and where we get our news, but where we lay our heads when we're not at home.
The company now faces a class-action suit and shares have subsequently fallen 5.6%. On top of this, Marriott says for about 327 million victims, compromised data may include names, addresses and passport numbers — prompting Senator Chuck Schumer to demand that it "foot the bill" for new passports. He isn't the only angry senator either.
"CEOs won’t take protecting our data seriously unless their own jobs are on the line," says Senator Elizabeth Warren, adding that "Congress should focus on holding them accountable for these giant screw-ups."
Marriott says it's looking into how the breach took place, but this leaves the question of why it only now detected a problem that evidently began four years ago.
"With all the resources they have," says Andrei Barysevich, a researcher with the threat intelligence company Recorded Future, "they should have been able to isolate hackers back in 2015."
That's when Marriott announced its acquisition of Starwood Hotels and Resorts Worldwide, and that's when the whole problem began, because the data breach involved the Starwood guest reservation database. But it's hard to believe Marriott couldn't see it coming.
For one thing, just two months after the merger was announced, Starwood reported it had suffered a massive credit card hack in 2014. Also that year, the company's website was home to an SQL injection bug and offers to hack it were being made on the dark web, Hold Security founder Alex Holden told Forbes this week.
So Marriott was clearly taking on considerable risk by acquiring Starwood. But was it unaware of this danger or was it using some version of the recall coordinator's formula, putting customers at risk because it assumed the cost of a breach would be less than the cost of better security?
"Currently many companies opt for inadequate data security because it's cheaper than the consequences of a data breach," says John M. Simpson, project director for privacy and technology at Consumer Watchdog. "The Consumer Privacy Act fixes that and would hold companies accountable."
Simpson believes the Marriott data breach is glaring evidence of the need for the recently enacted, somewhat convoluted, California Consumer Privacy Act (CCPA). If the law were now in effect, he says, Marriott would be on the hook as victims would be able to sue.
The CCPA — which gives Californians the right to know what personal information is collected about them, whether and to whom it is sold or disclosed, as well as the power to prevent such sales — takes effect in 2020 and, while it may sound like reasonable legislation, has already faced a grueling uphill battle.
Amazon, Facebook, Google, Microsoft, Twitter and Uber — as well as internet providers such as AT&T and Verizon — have lobbied hard to defeat the CCPA. But the act is part of a growing trend that includes the EU's General Data Protection Regulation (GDPR) and Vermont's landmark law regulating data brokers, both enacted in May.
Hotels are facing a wave of data-security regulations, and it's a good thing too, because the ripple effect of a hotel breach goes well beyond customers.
"Due to the interconnectedness of other business entities within a hotel – shops, restaurants, dry cleaning services, business centers, and more – breaches can spread quickly across the enterprise and be complex and costly to remediate," says insurance company Axa XL.
And the threat extends even further. Last year, the Russian hacker group Fancy Bear, which has been tied to Moscow's military intelligence service GRU, was found to be using the leaked NASA hacking tool Eternal Blue to hack victims via their hotel WiFi connections. If you're wondering why Moscow cares how many times you checked your email while on vacation in Santo Domingo, consider these words by Michael Daly, cybersecurity chief technology officer at Raytheon Intelligence:
This is much more than a consumer data breach. When you think of this from an intelligence gathering standpoint, it is illuminating the patterns of life of global political and business leaders, including who they traveled with, when and where. That is incredibly efficient reconnaissance gathering and elevates this breach to a national security problem.”
Hotels are easy targets, constituting 92% of all point-of-sale intrusions in 2017, and hotel mergers are only expected to accelerate. That's like walking toward the edge of a terrifyingly high cliff and picking up the speed. But the GDPR, Vermont's new law and the CCPA are good first measures. We need more.
The good news is, hotels already have good incentives. They make more money when guests feel safer. That will only happen, writes Bob Braun, author at eHotelier's Insights, "if they believe all of their property, including their digital property, is protected." But if they do, he adds, "Hotels can transform themselves from being the most likely source of data theft to becoming the model for data security."