Brian Jackson - Fotolia
Marriott discloses Starwood data breach affecting 500 million guests
Marriott International admitted to a Starwood data breach that began in 2014 and affects about 500 million customers. Experts are unsure about the GDPR implications.
Marriott International Inc. recently disclosed a data breach involving its Starwood guest reservation database that exposed the personal data of 500 million customers.
Marriott said it initially received the alert regarding the Starwood data breach on Sept. 8, 2018, and began an investigation into the issue. The investigation uncovered "unauthorized access to the Starwood network since 2014," and specifically access to a database containing guest information related to Starwood properties "on or before September 10, 2018."
"Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it," Marriott wrote in a blog post. "Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ('SPG') account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences."
Marriott added that some payment card information was included in the Starwood data breach, which was encrypted using AES-128. However, "Marriott has not been able to rule out the possibility" that both keys needed to decrypt that information were also stolen.
Marriott did not respond to requests for comment at the time of this post.
Jeff Pollardvice president and principal analyst, Forrester Research
Jeff Pollard, vice president and principal analyst at Forrester Research, noted that the timeline of the Starwood data breach goes back two years before Marriott acquired Starwood.
"Marriott and Starwood merged in 2016, but this breach goes back to 2014 per the details released. Since Marriott properties were not affected, this appears to have been solely a Starwood incident," Pollard said. "That means it also went undetected during the merger and subsequent consolidation efforts.
"With all the [mergers and acquisitions] occurring, it highlights the importance of robust cybersecurity due diligence during the acquisition process. Marriott now faces brand and reputational damage, regulatory oversight, and legal issues as the result of a cybersecurity incident that occurred two-plus years before they announced the acquisition of Starwood."
Marty Puranik, CEO of cloud service provider Atlantic.Net, said that because of the sensitive data potentially compromised in the Starwood data breach, users should take advantage of ID monitoring services like those offered to victims by Marriott.
"Consumers should limit what they provide companies based on their need to know," he said in an email. "Often, companies gather data that they may not need, but take if volunteered. For example, they may ask for passport information, but it may not be required, or you can ask what alternative forms of identification you can give.
"In cases where your information is improperly used and you can tie it to a specific vendor, demand that they provide a credit liaison or fraud specialist to help you. These specialists handle these cases on a daily basis and have a checklist of what to do to help deal with all the paperwork/agencies. Typically, these are provided for free by larger corporations that are culpable in a breach."
Rusty Carter, vice president of product management at Arxan Technologies, said the Starwood data breach was especially damaging because of the "treasure trove of information that hackers can use to build sophisticated, comprehensive dossiers on these high-value targets -- individuals who can afford to stay at Starwood properties.
"This attack sheds light on the fact that many enterprise back-end systems and databases are vulnerable because they must trust the application accessing them," he said. "Furthermore, the massive size of this breach further highlights the need for regulation to protect consumers.
"Companies need to protect their applications from tampering and reverse-engineering attacks if they want to keep or rebuild their customers' trust. Key to minimizing the impact and likelihood of success is developing strategies that include strong detection and reporting of the health and status of applications both inside and outside the company's network."
With 500 million customers affected, including guests from the European Union (EU), Marriott could be at risk of GDPR fines, but experts are unsure how such penalties could play out.
Pollard noted that because Marriott discovered the breach in September but did not disclose it until now, the disclosure would be "out of the [72 hour] breach notification requirement set up in the GDPR" and potentially in conflict with state-level laws, as well as the recently enacted Canadian breach notification requirement.
"Certainly, the breach that started in 2014 was still ongoing under [the] GDPR regime. And the breach notification is only one of the requirements of the regulation," Pollard said in an email. "Pandora's box is open and regulators will likely start to ask questions about the company's data handling practices: have they tracked and risk assessed their data processing activities, how and why they collected personal data, why it was still in their systems, etc. The implications here can be enormous, also, in terms of fines and potential enforcement action."
However, Ilia Kolochenko, CEO and founder of High-Tech Bridge, said Marriott "may try to find various excuses or mitigating circumstances" to avoid that penalty.
"Legal ramifications for Marriott and its subsidiaries can be tremendous, from harsh financial penalties from authorities in many countries to individual and class-action lawsuits from the victims," Kolochenko said.
"It really depends on the technical details of the breach," she said. "If negligence is the root cause of the breach, plaintiffs will have greater chances to prevail on their claims and get bigger damages or settlements. However, if it were a highly sophisticated APT [advanced persistent threat] that no company in the industry with due care and reasonable investment into cybersecurity could have detected, they may have a valid defense or at least a mitigating circumstance."
Tim Erlin, vice president of product management and strategy at Tripwire, said that might be the case for the maximum fine, but "the actual fines are determined on a case-by-case basis."
"GDPR has multiple, separate disclosure requirements. The organization is required to notify their supervisory authority [SA] -- a government entity in the EU -- within 72 hours," Erlin said. "Notifying the SA doesn't necessarily require or cause notification to those affected. Notification to affected data subjects is required 'without undue delay,' a term which leaves room for any number of circumstances." If Marriott is penalized to the full extent of GDPR, it could mean a fine of 4% of its 2017 revenue -- approximately $915.6 million.