Hotel chain hit by data breach
Information of up to 500 million Marriott customers may have been compromised in the last four years.
Marriott says the personal information of up to 500 million customers was possibly compromised over the last four years.
Marriott International Inc. announced Friday that a data breach lasting four years has compromised the personal information of up to 500 million of its hotel guests worldwide. The breach, one of the largest ever, raises questions about whether companies have enough incentive to protect people’s private data.
The compromised data include passport numbers, birth dates and potentially credit card information.
New laws in Europe could stick the global hotelier with hundreds of millions of dollars in fines.
The security breach affected the reservation system of Starwood, a hotel company Marriott acquired in 2016, and affected guest information for reservations made from an unspecified date in 2014 through Sept. 10 of this year. Starwood properties include W Hotels, St. Regis, Sheraton and Westin, among others.
“We fell short of what our guests deserve and what we expect of ourselves,” Chief Executive Arne Sorenson said in a statement.
Marriott’s stock slid 5.6% on Friday to $115.03 a share.
The Bethesda, Md., company said affected residents of the United States, Canada and the United Kingdom would be eligible for a free year of enrollment in WebWatcher, an identity fraud alert system.
The U.S. State Department did not appear concerned about the exposure of passport numbers. “The U.S. passport book and passport card are highly secure documents,” and no one can travel or access State Department records with just a passport number, it said.
Marriott said it was first alerted to a potential breach Sept. 8 and found that a cache of information had been copied, encrypted and possibly removed by an unknown hacker. On Nov. 19, the company managed to decrypt the files and discovered the magnitude and nature of the breach.
In a regulatory filing, the
company said that it could not yet estimate the financial impact of the breach but noted that it does carry cyber insurance.
A July 2018 study commissioned by IBM and carried out by the Ponemon Institute, a data security think tank, found that the average cost of a data breach for affected firms amounted to $148 per stolen record.
But most of the breaches in the study were far smaller than the Marriott hack. Ponemon Institute Chairman Larry Ponemon said that for “mega breaches,” in which more than 1 million records are affected, economies of scale kick in. “Once you have more than 50 million records, it goes down to around $7 a record,” Ponemon said Friday.
Calculating the cost to people whose data have been compromised is more difficult, Ponemon added. “The average person right now, unbeknownst to most of them, has their names in at least four data breaches,” which makes connecting one breach to a particular incidence of identity fraud almost impossible.
But experts say many companies continue to have a startlingly lax approach to data security. “If you want to fix this, you need to regulate these companies,” cybersecurity expert Bruce Schneier said. “We need actual fines. The market rewards lousy security.”
“We find that organizations that spend the money on security upfront can probably count on cost savings,” Ponemon said. “But some organizations see data breaches as cost of doing business — if they have a data breach, they’ll be able to pay the fee and hire the law firm and deal with regulators.”
The companies affected by the most notorious recent data breaches have suffered some consequences, both from market forces and from regulators.
In 2017, Yahoo confirmed that every single one of its 3 billion user accounts had been compromised.
After the breach was announced, Verizon Communications knocked $350 million off its $4.83-billion offer to buy Yahoo’s core internet business. This April, the U.S. Securities and Exchange Commission reached a $35million settlement with Altaba — the investment company created out of the Yahoo holdings Verizon did not buy — for failing to disclose the breach for almost two years. And in October, Altaba and Verizon settled two class-action suits for a total of $165 million.
In last year’s Equifax debacle, hackers got into the credit reporting firm’s database and stole the Social Security numbers, dates of birth, home addresses and, in some cases, driver’s license and credit card numbers of 147 million people.
Equifax’s stock crashed after the firm disclosed the breach, but one year later, the shares had regained nearly all of their value. In filings, the firm said that the breach has cost $384 million in improved security technology and crisis management, $125 million of which was covered by insurance.
To date, Equifax has faced fines only in the UK, where it was hit with the minimum fine of about $640,000 for compromising the information of 15 million Britons. Under the more stringent General Data Protection Regulation laws which have since taken effect across Europe, the company could have been fined up to 4% of its annual revenue, which would be well above $100 million.
“Marriott will weather the bad press and nothing will happen,” Schneier said.
The Marriott breach might prove a fertile testing ground for Europe’s new GDPR rules, which stipulate that companies must report a breach involving information about European Union citizens within 72 hours.
A spokesman for the Irish agency responsible for GDPR enforcement said the agency had not received any official notification from Marriott. Marriott said that it reported the incident to law enforcement agencies.
In early November, Sen. Ron Wyden (D-Ore.) proposed a bill that would make data breaches much more painful for companies in the United States.
Following Marriott’s announcement of the data breach Friday, the attorneys general of New York and Texas each opened an investigation. And a law firm asked a court in Maryland to grant class-action status to a suit accusing Marriott of negligence, breach of confidence and deceptive and unfair trade practices.