DATA BREACHES have become so common that even the most important are no longer in the news. But on November 30, Marriott International, a large American hotel chain, announced a real whopper. Half a billion records in a database owned by Starwood, one of the company’s subsidiaries, had been accessed by hackers.
The firm does not know exactly what was taken. But he believes that for about 327 million guests, the information on display includes a combination of names, addresses, dates of birth, passport numbers, and more. Some people in this subset – it was not specified how many – can also have their credit card details stolen. These credit card details were encrypted, which should have prevented attackers from using them. But Marriott says it can’t rule out the possibility that the secret keys needed to decrypt them were also taken (storing encryption keys near the data they protect is a bad idea, precisely for this reason).
Ranked purely by the number of people affected, the attack is one of the biggest of all time. Yahoo, a large internet company, suffered a data breach in 2013 that affected all 3 billion of its user accounts. AdultFriendFinder, a sex website, recorded 412 million swiped discs in 2016. But in both cases, the number of actual people affected was smaller. These websites are full of duplicate accounts, many of which are rarely or never used and are registered under fake names.
A hotel’s guest database is another matter. A better comparison to the Marriott breach is the 2017 hack by Equifax, a credit rating agency. Although “only” 143 million records were breached in the Equifax case, they contained sensitive data such as as credit card details and social security numbers. (a unique identifier used by the US government). Equifax has been sued several times for its violation; his boss at the time was forced to resign; and its stock price, which fell 14% on the news, took months to recover.
As of this writing, shares of Marriott International have fallen 5%. Marriott said it reported the incident to police and began the process of informing affected customers. The company hopes that a relatively quick response will appease regulators, customers and investors. But as the circumstances of this breach are examined, the fallout can still prove to be serious.
The relentless stream of data leaks has led governments and regulators to toughen the rules. In May, for example, the European Union introduced the General Data Protection Regulation (GDPR), which imposes fines of up to 4% of global revenue on companies deemed lax in protecting their customers’ data. . Marriott admitted that although the first alert generated by its security software arrived on September 8, hackers appear to have had access to its systems since 2014. Combined with the company’s apparent negligence with encryption keys, regulators will surely ask awkward questions about how competent his security was.