Security Exchange News

Hack a Nice Stay

06 December 2018

Marriott International announced last week that up to 500 million of its guests may have had their personal and financial information compromised due to a massive data breach which hit its Starwood Hotels and Resort database. Marriott International completed the acquisition of the Starwood network in 2016, claiming to become the world’s largest hotel company. Names, dates of birth, passport numbers, credit card details, loyalty programme information and various other pieces of data are among those compromised. Marriott already stated that it is working alongside local and federal authorities in the US and abroad to assist guests who were affected and to ensure that their data is recovered.

A class-action lawsuit has been filed against Marriott International, with plaintiffs seeking billions of dollars in compensation, and the US government and high-level politicians have also stepped in to investigate the breach. New York Attorney General Barbara Underwood promptly announced that a full investigation was being opened, while Senators and House Representatives are also closely following the case. Marriott International has been asked to submit a full report to the US Senate Commerce Committee, while senators Chuck Schumer, Elizabeth Warren, John Kennedy and Ron Wyden all raised concerns over the hacking. Meanwhile, the US State Department has also issued an advisory regarding the passport numbers which were compromised. It reiterated that the passport number is one of the multiple security features of the document and that hackers did not gain access to their records. This latest breach highlighted the ongoing concern over lax privacy and data protection laws in the US.

Although Marriott International is based in Bethesda, Maryland, the data breach may taint the hotel chain’s image abroad in Europe. General Data Protection Regulation (GDPR) has been enforced across all 28 European Union countries since May 2018. Data breaches may lead to record fines – up to four percent of a company’s annual turnover - against companies that fail to secure customers’ personal information. Scrutiny significantly increased after Marriott International confirmed that the breach dates back to 2014. According to the company, an unauthorised third-party gained access to the Starwood network, copying and encrypting guests’ data in order to later extract them from the server. Investigations are now directed at when the breach was first identified and how long it took Marriott International to notify the affected parties – GDPR sets a 72-hour window.

This latest data breach has reignited the debate on reinforcing data protection and privacy laws in the US. Currently, there is no broad or general set of laws which regulates the collection and use of personal data in the country. Although some laws on data protection exist, they are often restricted to a specific business sector or activity, while state and federal laws fail to coordinate efforts. However, state governments are pushing to introduce laws of their own. In June 2018, California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law – due to come into full effect in 2020. The CCPA is basically a US state version of the GDPR, which seeks to enhance data protection and the rights of consumers in California. Companies based or trading in the state will be subject to the new legislation, which has faced severe resistance from some tech giants in Silicon Valley. Meanwhile, on the US East Coast, another law was recently passed in the state of Vermont to protect consumers from data brokers. The law calls for transparency in selling and trading data, the enhancement of security measures and the enforcement of stricter rules. However, the law is very limited to data brokers, while social media platforms and major companies are excluded from the legislation. Nevertheless, this type of legislation may spread to other states and become more comprehensive in the future as data breaches become commonplace.

The Marriott International data breach was one of the most serious to be reported in recent years. However, it is still far from comparable to the Yahoo mail system hackings in 2013, 2014 and 2016, which are thought to have affected over three billion users. In recent months, data breaches affected major international corporations such as British Airways and Quora. Concerns over data protection were also increased after the Cambridge Analytica scandal was uncovered in 2018 when the UK-based company collected data from millions of Facebook users. The case forced Facebook CEO Mark Zuckerberg to testify before the Senate commerce and judiciary committees to discuss users’ privacy, trading and storing data, regulations and even the alleged Russian interference in the 2016 US presidential elections.

Malicious actors and criminals continue their quest to find intrusive and innovative manners to acquire all kinds of data to commit financial crime or simply sell them on to the highest bidder in the Dark Web. The hospitality industry is thought to be one of the most vulnerable to hackers, with hotels providing a breeding ground for data breaches. Hotel hacks have become increasingly frequent in recent years, as most chains choose to unify their services in a single network, allowing hackers easy access to as much information as possible.