The Lessons from Marriott’s Epic Data Breach
By now you’ve probably heard about the Marriott / Starwood data breach that may have impacted up to 500 million guest records. The information includes name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for about 327 million guests. Encrypted payment card information was also stolen.
According to the hotel company, an internal security tool alerted it to an unauthorized attempt to gain access to the U.S. Starwood guest reservation database on September 8. Further investigation uncovered unauthorized access to the network since 2014.
The company also discovered that cyber intruders had copied and encrypted information and had tried to delete it. On November 19, 2018, Marriott finally decrypted the information to find out it was information from the Starwood guest reservation database.
A small bit of good news
The good news is that the whole Marriott company wasn’t impacted. Marriott acquired Starwood in late 2015 and Starwood brand hotels (including W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels, and Starwood branded timeshare programs) and its reservation system is still separate from other Marriott hotels. That limits the breach to just these brands.
But it also makes me wonder about a previous Starwood data breach.
Bad news: This isn’t Starwood’s first data-breach rodeo
This is not the first data breach for Starwood. Before it was acquired by Marriott, it disclosed that malware had been discovered on point-of-sale registers at more than 100 of its hotels and was designed to collect payment information. The breach is believed to have begun around November 2014 and wasn’t fully resolved until April or May of 2015. At the time Starwood said it had “no indication that our guest reservation or Starwood Preferred Guest membership systems were impacted.”
This is concerning. The current breach seems to identify access going back to 2014. Even if these are two totally unrelated breaches, shouldn’t this breach have become apparent in the investigation of the first breach?
Imagine if this happened at a financial institution. There’d be potential for some serious enforcement actions or fines.
And in fact, there is the potential for fines. Since Starwood is an international brand, it’s likely some of those 500 million customers are citizens of the European Union where the General Data Protection Regulation (GDPR) gives citizens some of the strongest privacy protections in the world.
Implemented this past May, GDPR protects any information that links to an individual, including names, email addresses, IP addresses, photos, social networking sites in addition to what Americans consider sensitive customer data. Breaches must be disclosed within 72 hours.
Fines can be huge: up to four percent of gross revenues for the most egregious violations, including insufficient customer consent to process, and two percent of gross revenues for violations like not having records in order or failing to promptly notify customers and authorities of a breach.
Marriott clearly breached sensitive data and it appears to have taken more than 72 hours to disclose it. This may prove to be a very expensive breach. That’s on top of the cost of setting up a dedicated call center and providing customers with a personal information monitoring service.
At least it has cyber insurance, according to a report from TechCrunch.
Lessons learned: Cyber breaches cost more than cybersecurity
This breach is a valuable lesson for financial institutions and a good case study for risk managers, IT security professionals, and others trying to make a case for increasing the cybersecurity budget and improve risk management.
The cost of a breach can be incredibly high, not just in dollars and cents but also in reputation damage. I wonder what, if anything, could have been done to detect this breach back in 2014. If Starwood had just a little more thorough risk management or spend just a little more money on another tool, could it have prevented this whole fiasco? After all, someone was supposed to be looking at the whole system in light of the other breach.
Make sure your institution has completed the FFIEC Cyber Assessment Tool to uncover strengths and weaknesses in its cybersecurity efforts. Not only will you know where improvements are needed, you’ll also know the areas where you’ve already spent enough so you don’t overspend.
A cyber breach can have dire consequences for the safety and soundness of your institution. Make sure you’re doing your due diligence to understand and protect against this risk.