Marriott Headquarters

Massive Marriott Breach Underscores Risk of overlooking Data Liability

Marriott isn’t the only firm with a voracious appetite for customer data. But the Marriott breach underscores how companies fail to price in the risk of poor data security. In the age of GDPR, that could be an expensive failure. 

The massive and years-long data breach affecting Marriott Hotels’ Starwood properties isn’t the largest corporate loss of data ever. (That honor goes to Yahoo!) Still, the theft of data on some 500 million individuals who stayed at Starwood properties shares one important characteristic with the likes of Yahoo!, MySpace, Equifax, Target and (ahem!) Adult Friendfinder: data liability.

Like its neighbors on the “biggest breaches” list, Marriott found itself exposed after failing to adequately secure massive troves of data it collected on its guests. Just as important: if failed to account for the material liability that holding onto that data represented to its shareholders. Unlike its neighbors, however, Marriott finds itself operating in the era of the EU’s General Data Protection Regulation (or GDPR). That means it may pay a steep, monetary price for its failings, experts tell the Security Ledger.

See also: Episode 97: On eve of GDPR frightening lack of data privacy, security in US

Marriott Headquarters
Marriott said a breach at its Starwood Hotels division exposed information on 500 million people.

On Friday, Marriott disclosed that it has been investigating  “a data security incident involving the Starwood guest reservation database.” The investigation was triggered by what Marriott described as an “internal security tool.” Subsequent investigation by security pros revealed that “an unauthorized party had copied and encrypted (guest reservation) information, and took steps towards removing it” from the company’s network. The intruders, Marriott disclosed, may have been on the company’s network for as four years and are believed to have obtained information on 500 million guests who made a reservation at a Starwood property prior to September 10th.

For more than 300 million of the victims, the information stolen by the hackers is rich. Marriott said the stolen data includes guests’ names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender as well as their arrival and departure information, reservation date, and communication preferences. In some cases, encrypted payment card data was also stolen, though it is unclear if that data is also likely to have been exposed.

“We deeply regret this incident happened,” Arne Sorenson, Marriott’s President and Chief Executive Officer said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

In keeping with other breached firms, Marriott has offered affected customers (or at least some of them) free fraud monitoring services. Marriott, Sorenson, said “is reaffirming our commitment to our guests around the world,” and will be “devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

See also: NotPetya Horror Story Highlights Need for Holistic Security

But security experts said those assurances amount to sincere promises to close the barn door after the horses have left.

“For almost five years, the intruders were able to explore and exfiltrate information from the network…Think of it this way: Starwood unintentionally became a trojan horse into the Marriott network,” Scott Scheferman, the Senior Director of Global Services at the security firm Cylance said in a statement.

Behind the specifics of the breach was a larger failure, Scheferman and others agree: Marriott’s failure to adequately assess the cyber security posture of Starwood hotels in the process of buying it and, then, to price in the company’s cyber security risk and the potential liability that the company’s wealth of data and shoddy security placed on Marriott shareholders.

“To me, the Marriott breach is before anything else, a demonstration of a merger & acquisition that failed to account for security as a risk,” said Vanessa Henri, the Data Protection Officer at Hitachi Systems Security.*

Specifically, Henri and other experts have pointed to an earlier breach of Starwood, first disclosed in 2015. As reported by Security Ledger at the time: that breach affected Point of Sale systems at Starwood hotels and may have begun as early as 2014. More than 50 Starwood hotels were the victims of that hack. If security experts investigating that attack failed toroot out the cyber criminals behind it, those attackers may have pivoted from Starwood’s point of sales systems to its reservation systems and other valuable IT assets

Assuming that breach was disclosed to Marriott during negotiations for the sale, it should have been a major issue and concern for Marriott as the perspective buyer. “Clearly as part of the M&A due diligence, the cybersecurity of the reservation databases was not considered a risk worth inquiring into. This is definitely the biggest lesson learned there,” wrote Henri of Hitachi Systems Security.

Following the lead of Silicon Valley and social media giants like Google and Facebook, businesses of all stripes have been encouraged to collect and mine the data of their customers. The more data, the better. But such calculations fail to account for the cost of securing the data and the risks to the organization should it lose control of that data through their own fault or the fault of a business partner or contractor.

That’s a mistake – and one that the GDPR will make clear, Henri said. In addition to being subject to fines of up to 4% of the company’s annual revenue. With Marriott’s 2017 revenue at more than $22 billion, the company could be staring at a fine of $900 million or more.

But first, regulators will need to parse the Marriott incident. GDPR is not applied retroactively, meaning that breaches that occurred before the Regulation went into effect on May 25, 2018 would be covered by the EU’s preceding data privacy directive. However, any awareness of exposure or theft of GDPR-covered data occurring after May 25 fall squarely under GDPR.”

“I would think at least part of this behavior falls under the GDPR,” Henri noted. “The regulators could use both regimes by dividing the events over two timelines, or decide to stick with either one of the regimes, focusing on certain events as opposed to others.”

In echoes of the Watergate scandal, the question may be ‘what Marriott knew and when the company knew it.’ “I would probably aim for the GDPR. There are sufficient evidence under this regime to make a case that it should have been discovered earlier and that there were poor security measures. Now, the FTC and other entities will definitely be looking at the entire situation.”

(*) Hitachi Systems Security is a sponsor of The Security Ledger