Marriott Downgrades Impact of Massive Data BreachMarriott Downgrades Impact of Massive Data Breach
About 1 percent of the 383 million records affected by the Marriott data breach contained unencrypted passport numbers or payment information.
January 4, 2019
Originally, Marriott confirmed the personal information of up to 500 million guests may have been stolen after its reservations database was hacked. It now says fewer than 383 million individual guests were impacted because multiple records appear to be for the same guest.
About 5.25 million, or 1 percent, of the 383 million records affected by the data breach contained unencrypted passport numbers or payment information, according to Marriott. It has no evidence that the master key used to decrypt this sort of information was accessed by the unauthorized third party.
The information accessed also includes about 20.3 million encrypted passport numbers.
Mark Sangster, eSentire‘s vice president of strategic marketing, tells us that’s good news for the 99 percent of affected customers.
“Yet, the impact and clean-up costs associated with the 5.25 million customers will have significant impact, and likely bring investigations at the hands of the Office of Civil Rights and Europe’s General Data Protection Regulation (GDPR),” he said.
Egress Software’s Mark Bower
About 8.6 million encrypted payment cards were involved in the data breach. Of that number, about 354,000 payment cards were unexpired as of September 2018. There’s no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers, according to Marriott.
Mark Bower, Egress Software Technologies‘ general manager and chief revenue officer, tells us it’s difficult to understand how 5 million passport numbers would be centrally retained by any organization without effective data privacy applied to it.
“Attacks to vulnerable systems are a simple fact of business life,” he said. “However, identity data is often stored by hotels for reasons that may not be clear at first, requiring balance of legal and compliance obligations, and the risk of sensitive data storage.”
Ultimately, it’s the simple, everyday processes where users capture data to do their job that puts it at risk if it’s not secured automatically — either by an organization or one of its partners, Bower said.
“Somewhere in this investigation, its likely a sequence of stark and bafflingly, yet simple human errors will be the root cause, amplified by system vulnerabilities leading to exploits and vast extraction of dangerously sensitive data that can affect peoples’ lives, not just their livelihood,” he said.
eSentire’s Chris Braden
Partners should advise their customers about the business value of the security solutions they are promoting, not just the technical aspects of the solution, said Chris Braden, eSentire’s vice president of global channels and alliances.
“They should be able to articulate how that technology translates to both business value and risk mitigation so the customer can better understand their security posture, and make better informed decisions about how they are spending their money,” he said. “This goes far beyond simply explaining the cost of the solution and the ongoing cost of maintenance and management. It should also extend to the business value that is created by a solution (e.g. a managed solution that enables a customer to dedicate resources to other projects/responsibilities) and the risk that can be mitigated (usually tied to the analysis of a risk assessment and penetration testing).”
Read more about:MSPs
About the Author(s)
You May Also Like
AWS re:Invent Partner, Vendor News: Cisco, Salesforce, MoreDec 01, 2023
People on the Move: Comcast, Cisco, NICE, TPx, Barracuda, MoreNov 29, 2023
AWS re:Invent 2023 Partner News: Marketplace, Salesforce, Certs, MoreNov 29, 2023
AWS re:Invent Expo: VMware, Snyk, HPE, More Showcase Cloud, Security, AINov 28, 2023