Marriott Downgrades Impact of Massive Data Breach
Originally, Marriott confirmed the personal information of up to 500 million guests may have been stolen after its reservations database was hacked. It now says fewer than 383 million individual guests were impacted because multiple records appear to be for the same guest.
About 5.25 million, or 1 percent, of the 383 million records affected by the data breach contained unencrypted passport numbers or payment information, according to Marriott. It has no evidence that the master key used to decrypt this sort of information was accessed by the unauthorized third party.
The information accessed also includes about 20.3 million encrypted passport numbers.
Mark Sangster, eSentire‘s vice president of strategic marketing, tells us that’s good news for the 99 percent of affected customers.
“Yet, the impact and clean-up costs associated with the 5.25 million customers will have significant impact, and likely bring investigations at the hands of the Office of Civil Rights and Europe’s General Data Protection Regulation (GDPR),” he said.
About 8.6 million encrypted payment cards were involved in the data breach. Of that number, about 354,000 payment cards were unexpired as of September 2018. There’s no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers, according to Marriott.
Mark Bower, Egress Software Technologies‘ general manager and chief revenue officer, tells us it’s difficult to understand how 5 million passport numbers would be centrally retained by any organization without effective data privacy applied to it.
“Attacks to vulnerable systems are a simple fact of business life,” he said. “However, identity data is often stored by hotels for reasons that may not be clear at first, requiring balance of legal and compliance obligations, and the risk of sensitive data storage.”
Ultimately, it’s the simple, everyday processes where users capture data to do their job that puts it at risk if it’s not secured automatically — either by an organization or one of its partners, Bower said.
“Somewhere in this investigation, its likely a sequence of stark and bafflingly, yet simple human errors will be the root cause, amplified by system vulnerabilities leading to exploits and vast extraction of dangerously sensitive data that can affect peoples’ lives, not just their livelihood,” he said.
Partners should advise their customers about the business value of the security solutions they are promoting, not just the technical aspects of the solution, said Chris Braden, eSentire’s vice president of global channels and alliances.
“They should be able to articulate how that technology translates to both business value and risk mitigation so the customer can better understand their security posture, and make better informed decisions about how they are spending their money,” he said. “This goes far beyond simply explaining the cost of the solution and the ongoing cost of maintenance and management. It should also extend to the business value that is created by a solution (e.g. a managed solution that enables a customer to dedicate resources to other projects/responsibilities) and the risk that can be mitigated (usually tied to the analysis of a risk assessment and penetration testing).”