Marriott International discovered a data breach within its Starwood reservation system that could have potentially compromised the information of 500 million customers. Unsurprisingly, given the scale of the incident, responses to the breach have been strong and swift.
Lawmakers on Capitol Hill have cited the Marriott Breach as another reason why the U.S. needs federal privacy rules. Senate Intelligence Committee Vice Chair Mark Warner, D-Va., said the incident should strengthen Congress' resolve to pass laws that require data minimization and "ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.” Warner's sentiment was shared by Sen. Richard Blumenthal, D-Conn.
“Marriott’s failure to prevent the theft of private data has placed hundreds of millions of customers at significant personal and financial risk," said Blumenthal. "The apparent failure to detect and remove hackers from its systems for four years calls into question whether Marriott took the security and privacy of its customers seriously. ... Once again, Americans are left to pay the substantial cost of corporate negligence."
Consumer Watchdog's John M. Simpson, who's director of its Privacy and Technology Project, said the breach is an example of the usefulness of the California Consumer Privacy Act of 2018. Simpson said the CCPA has provisions to hold companies accountable for data breaches, which is a reason why tech companies are fighting against the law.
Lawmakers are not just focused on the breach from a legislative standpoint. Sen. Chuck Schumer, D-.N.Y., has called for Marriott to purchase new passports for customers impacted by the breach.
“Right now, the clock is ticking to minimize the risk customers face, and one way to do this is to request a new passport and make it harder for thieves to paint that full identity picture,” said Schumer.
Many details about the incident have yet to be revealed. However, security researcher Brian Krebs writes massive breaches often occur due to organizations failing to adopt the most important principle in cybersecurity: "Assume you are compromised."
Entities should still focus on software patches and technology to block and detect malware, Krebs writes, but more companies need to operate under the assumption hackers will eventually find a way to breach their systems.
Krebs said companies run by leaders with security backgrounds work this way. Those organizations focus on breach prevention, pay "threat hunters" to look for vulnerabilities, test their own networks and employees for weaknesses, and place an emphasis on data minimization.
"It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly," Krebs writes.
While it has yet to be revealed how and why the breach occurred, one thing is certain: Marriott is going to pay for it.
ZDNet reports on what it might cost. A recent study from IBM and Ponemon states a breach of 50 million records will cost a company $350 million. Using those figures, Marriott could end up with a price tag of $3.5 billion. In its annual report, Marriott said it carries cybersecurity liability insurance, but the deductible and level of coverage are unknown. Even with cyber insurance, the hotel chain will likely pay hundred of millions, if not more than $1 billion, to cover all of the assorted fees.
Marriott could be facing penalties from regulators as well. The U.K. Information Commissioner's Office announced it is "making enquiries" into the breach, while Bloomberg Intelligence Analyst Tamlin Bason said the breach could be an "early test case of how aggressive regulators are going to be" with the EU General Data Protection Regulation.
As with most data breaches of this magnitude, class-action lawsuits have already been filed. A pair of men from Oregon have sued Marriott, followed by another lawsuit filed in Maryland. While the amount of damages sought were not specified in the Maryland case, the plaintiffs from Oregon are seeking $12.5 billion in costs and losses.
photo credit: wyliepoon John Portman's Atlanta Hotels Tour - Atlanta Marriott Marquis Hotel via photopin (license)
If you want to comment on this post, you need to login.