Marriott Starwood data breach notification de-values customers

Former Senior Technology Editor

It’s never good news when a large organization makes headlines for a cybersecurity incident, but when they keep happening, even the most egregious data exposures become run-of-the-mill.

For example, take the latest record-setting event: the Marriott Starwood data breach, which exposed at least some data of approximately 500 million customers — and enough data to be dangerous to about 327 million of those customers. Not as big as the Yahoo breach reported in 2017, in which all of Yahoo’s users — three billion of them — were exposed. But the impact of the Marriott Starwood data breach is likely far greater.

The Marriott Starwood data breach, starting in 2014 and ongoing until this year, exposed some combination of “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences” for about 327 million of its customers.

Just five years ago, an enterprise that exposed personal data in a cyberattack would notify its customers — usually, by postal service — and provide access to assistance, which included some form of identity theft monitoring or protection to the violated customers.

We’ve come a long way since the 2013 Target breach, after which the retail giant cleaned up its cybersecurity act and made serious efforts to regain the trust of its customers. After it was breached, Target notified its affected customers, told them they would not be liable for charges made to their cards fraudulently, and offered them a year of free credit monitoring and identity theft protection. This came to be viewed as the baseline for breach response — but Target went beyond that. Target went on the offensive to protect itself and its customers from attack: it was one of the first major U.S. retailers to roll out EMV-compliant point of sale payment terminals and EMV chip and PIN payments cards (the Target REDCard).

Now, the baseline seems to be last year’s Equifax breach, after which it was clear that the consumer credit rating agency not only failed at defending its data but also failed at properly notifying affected consumers while also initially treating the event as a revenue-enhancement opportunity by offering an inadequate protection service for free — for the first year — which turned into a paid subscription thereafter.

What happened?

Breach fatigue happened. By now, most consumers have had their personal details exposed multiple times by giant corporations, have been notified multiple times of their exposures, may even have tried using one of the many “first year free” credit monitoring and identity theft protection services.

Even the way Marriott Starwood data breach notifications were sent out to the hundreds of millions of customers whose data was compromised raised questions. While the email Marriott sent out claimed that notifications were being sent out to affected customers “on a rolling basis” starting on Nov. 30, it wasn’t until Dec. 10 that widespread reports of the notification began to surface — including reports that many of those notification messages went directly to the spam folder. For example, Martijn Grooten, the security researcher and editor of Virus Bulletin, tweeted that “If the Marriott breach notification email was marked as spam (as it was for me), here’s a possible reason why,” linking to a Spamhaus article that explained why Marriott’s notifications wound up in spam folders: Marriott used a sender domain for its email notifications — @email-marriott.com — that looked malicious. And while the notification mentioned that affected customers could enroll with the WebWatcher monitoring service, no link to that service was provided in the notification.

If the pattern hadn’t already been set by data breach responses like those from Yahoo and Equifax and many others like the marketing company Exactis, which also exposed hundreds of millions this year, it would certainly seem as if Marriott is breaking a new trail of arrogance and ignorance, repeating many of the same failures that some enterprises seem to think are acceptable. But the hospitality giant is merely adopting what has become a sorry standard for breach responses.