Governance, Risk and Compliance, Content

How Bad is Marriott’s Starwood Data Breach? (Hint: The GDPR Fines, Lawsuits Could be Really Bad)

Marriott’s disclosure that its Starwood Hotels unit left vulnerable some 500 million customer records is pretty bad for sure. It makes Facebook’s 90 million fiasco look calm by comparison but it falls well short of Yahoo’s three billion pilfered records.

However, (and this is not to downplay the inconvenience forced on the millions affected by the break-in), the far more serious consequence to the hotel conglomerate may come from fines levied by the European Union’s new General Data Protection Regulation (GDPR). While there’s no telling exactly how many millions of customer details the hackers made off with (the numbers usually expand over time), a significant portion has to have come from EU citizens, given Marriott’s global stature. The resulting penalties, were Marriott judged to have violated GDPR rules, could reach four percent of its annual sales worldwide. Based on Marriott’s 2017 total revenue of $23 billion, the fine might touch $900 million. Moreover, class action lawsuits are likely to follow that could tack on millions more.

Marriott's Starwood Hotel Data Breach: GDPR Fines?

Without doubt, GDPR investigators will want to know why Marriott appears to have waited longer than necessary to announce the breach to customers. Under GDPR, data breaches must be disclosed within 72 hours of first detecting the hack. In its statement, Marriott said no more than it had “already begun notifying regulatory authorities.” It's tempting to call that arrogance of the first order.

Meanwhile, the New York Attorney General's office said it will inquire further, as did Attorneys General in Connecticut, Illinois, Massachusetts and Pennsylvania. So will the U.K.'s Information Commissioner's Office. “We’ve opened an investigation into the Marriott data breach. Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach. They have not done so as of yet,” Amy Spitalnick, Communications Director and Senior Policy Advisor, Office of the New York Attorney General, told Reuters.

Who knows what might come of those investigations? What other states might press Marriott for answers?

Given the size, importance and reverberations of the Starwood breach, a number of cybersecurity experts and a politician here and there have raised questions about Marriott's security protocols and its plans to help customers right now. Bill Evans, VP of Marketing at One Identity noted that "there are levels of severity regarding the types of personal information that is hacked. The passport information is another level. It’s not a simple task to get a new passport.”

And, Senator Chuck Schumer (D-NY) said on Sunday that Marriott should cough up $110 to buy new passports for each customer who had their passport numbers stolen. “Right now, the clock is ticking to minimize the risk customers face and one way to do this is to request a new passport and make it harder for thieves to paint that full identity picture,” Schumer said, according to The New York Post.

Marriott's Starwood Hotel Data Breach: Experts Weigh In

Here's more reaction from industry experts:

On service industry incidents:
“The incident is not a surprise, taking into account the sophistication of the attackers that prefer to target systems in the service provision chain in which security attention may be lower, such as cash registers and POSs rather than central systems directly.” -- Chris Dimitriadis, past board chair of ISACA.

On lapse in detection:
“A four-year lapse in detection signals a significant process flaw. You can have the best security tools money can buy, but if you don’t invest equally in the people interacting with the technology, then you’re making a costly mistake.” -- Tom Callahan, MDR Services director, ControlScan.

On security blind spots:
“Marriott is not alone in its lack of visibility over its infrastructure. It’s concerning when it takes an organization months, or even years, to recognize that a breach has occurred – it highlights the inadequacy of reactive security solutions.” -- Rich Campagna, CMO, Bitglass.

On mitigation:
“Companies must rethink their reactive cybersecurity strategies that detect and control breaches in progress or after they happen. At that point, it’s too late.” -- Mark Weiner, CMO, Balbix.

There will be more fallout and repercussions from the breach for Marriott, that's for certain. And, it's probably going to be bad. Stay tuned.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.