Marriott Breach Transcends Cybersecurity
It’s no surprise that the Marriott data breach, announced the other day, has once again elicited sharp criticism and concerns that incidents of this magnitude have potential ripple effects far beyond the tech industry. It should also be no surprise that I view this sentiment to be 100% true. The nature and scope of the information stolen from the hotel chain (credit card and passport numbers, arrival and departure dates from the hotels themselves) could open the door to identity theft and even espionage. “There are just so many things you can extrapolate from people staying at hotels,” says Jesse Varsalone, cybersecurity expert at the University of Maryland. These are places, after all, that are host to business deals of all kinds, as well as government and military officials traveling locally or overseas. What more tempting targets to the increasing numbers of state-backed hackers out there?
One specific example stems from 2017, when the infamous Russian hacking group Fancy Bear hacked the Wi-Fi connections of hotel guests. According to Raytheon Intelligence CTO Michael Daly, this “is illuminating the patterns of life of global political and business leaders, including who they traveled with, when and where. That is incredibly efficient reconnaissance gathering and elevates this breach [Marriott’s] to a national security problem.”
Overall, more than 500 million guests had their data compromised over a period of four years, undetected by Marriott until quite recently. As you may have heard by now, that amounts to the second largest data breach in history, coming behind only the Yahoo breach. Prior to 2016, the hotels in question were owned by Starwood Hotels and Resorts Worldwide, and the evidence suggests Marriott would’ve been aware of the risks involved in their new acquisition. Instead, they now risk running afoul of GDPR penalties (European guests being among the affected), and demands for accountability from politicians like Chuck Schumer and Elizabeth Warren.
Now, in the US, of course, there still does not exist a strong GDPR equivalent to encourage companies to take their cybersecurity responsibilities more seriously. The California Consumer Privacy Act (CCPA) has also not yet taken effect, and has faced persistent opposition from the likes of Google, Twitter, Amazon and Facebook.
Not to belabor this point, but it is, for better or worse, the very failure of businesses to provide sufficient and necessary safeguards that brought about these external regulations—all that’s left to do now is proceed on the assumption that your organization will be breached, and incorporate measures like encryption, detection, and of course incident response into your security policies and processes. Anything short will risk incurring the consequences.