04 December 2018

The Marriott Breach: Implications, Consequences, Accountability


Marriott marquee

Last week, we were all duped by another round of hackers…and it took the affected company years before they finally figured out that they were the cause of it. Marriott International released information last Friday that a Starwood database was breached and had compromised personal information of up to 500 million of its customers, making it one of the largest breaches in history (behind the Yahoo breach that affected 3 billion).

The personal data compromised from this Starwood breach is believed to be a combination of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences…so in other words, not much was left unturned.

“We should look at the significance of a breach based not on volume, but rather on the value of the data and what malicious hackers could potentially do with it…The impact of a breach can extend exponentially when you have data from 500 million people; think ransom emails and widespread identity theft,” – Synack Red Team ethical hacker

What does this mean for Marriott?

It’s going to cost them.

Starwood was acquired by Marriott in 2016 for $13.6 billion. If we ever needed proof that poor security can be damaging to company value, we can look to the Verizon acquisition of Yahoo, where Yahoo lost $350 million in their price after a string of large-scale breaches.

What’s interesting in the Marriott/Starwood case is that the breach happened before the acquisition, but the acquisition went through before days before the breach was announced. How much potential value does this knock off the Starwood acquisition for Marriott? It’s hard to say, but worth noting that $350 million price cut in the Yahoo acquisition and the $430 million in projected costs (on top of losing a quarter of their value) for Equifax after its breach earlier this year.

Security due diligence is often neglected when it comes to mergers and acquisitions, but this should be a vital part of the process during any investment or acquisition. It’s a missed opportunity to choose not to look into something that could cost you hundreds of millions of dollars in costs, brand damage, and value loss.

To add fuel to the growing fire, Marriott’s share price was down more than 5 percent on Friday.

And it hurts in more ways than one.

This year, GDPR regulation went into effect in Europe, which was intended to dial up the consequences for organizations who don’t protect consumer data privacy. Under this regulation, companies can be fined up to 4 percent of global revenue. According to Enza Iannopollo, a security analyst with Forrester Research, interviewed by the New York Times, “Marriott has the potential to trigger the first hefty G.D.P.R. fine” given the nature of their breach and the PII involved.

Should the US start enacting similar data security laws? Many believe we’re past due in making companies accountable for the cost of their own poor security instead of making consumers shoulder the burden and new laws that enforce more accountability on breached companies are gaining momentum. For example, a Florida Senator supports criminal penalties to the likes of jail time for executives who don’t report their companies’ breaches responsibly or promptly. In June of this year, California passed the California Consumer Privacy Act, which is the first US law similar to GDPR, however penalties of breach range from $2,500 to $7,500 per violation.

It’s interesting to note that a lot of headlines read like this after a breach: “Marriott data breach: what consumers can do to protect themselves”. Since its consumer data at risk, traditionally, the burden has fallen on the consumers themselves to ensure they are protected post-breach. But times are changing…in the case of Marriott, they were sued just hours after announcing the breach. The two lawsuits from the states of Maryland and Oregon are seeking class-action and the Oregon lawsuit is seeking $12.5 billion in damage (equating to $25 for each of the 500 million users compromised) according to ZDNet.

This follows a similar script to what unfolded after the recent Anthem breach, where they paid out a $115 million settlement after 79 million records were stolen from their system and a class-action lawsuit made its way through California federal courts.

Potential customers will make choices accordingly.

The impact of a breach extends well past the measurable short-term financial losses, lawsuit settlements, and fines. As a consumer, as a hotel guest with choice, it’s reasonable to expect that you would choose to stay at a hotel that hasn’t been breached. Why risk the chance of exposing your personal data by entrusting it to corporations that have a poor track record for security?

The effects of a breach have the potential to outlast the news cycles, and they affect more than just what we can measure. “Equifax” is now almost synonymous with “breach”, which is not good news for breached brands and what it means for customer trust.

Security needs to be a lifestyle.

The trouble of this news is not the fact that Starwood was vulnerable, or even that they were breached. In a complex, constantly-changing digital world, weaknesses are everywhere and failures happen. We can’t expect organizations to be 100% seal-tight all of the time, because security is rarely perfect.

But we should be very troubled by the fact that the breach happened four years prior to anyone noticing. Consumers should rightly expect that the organizations who hold our personal data are doing what they can to protect it. Organizations should rightly assume that they are responsible to look for the weaknesses in their systems and remedy them promptly –continuously– to protect (and keep) their customers.