Last week Marriott, the world’s biggest hotel company, announced that its subsidiary Starwood had suffered a major data breach that has led to 500 million users having their data leaked, over a four year period since 2014.
Though not the biggest ever – don’t forget Yahoo!’s 2014 mega-breach – this is a truly huge leak of personal information. Not only that, the nature of the information involved is highly sensitive; for 385 million victims, it includes passport numbers, as well as names, addresses and email addresses.
It is not yet clear how the data breach came to be, though we do know in what circumstances it came to be revealed. An internal security audit discovered a (what), after which point a database was found containing information belonging to the half a billion victims.
The reaction from commentators has been, perhaps unsurprisingly, strong.
Veteran cybersecurity investigative journalist Brian Krebs had this to say: “Anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.”
That message is clear, and has been repeated many times before. Something else that is worryingly familiar is the criticism of the company’s reaction in the immediate aftermath of the announcement.
So many times, the already catastrophic reputational effect of a huge data breach is compounded by unclear and ineffective instructions to consumers, that sometimes even go as far as exacerbating the initial breach.
That seems to be the case here, too. A TechCrunch report notes that the website and email domain set up by Marriott following the attack, which allows people to see if they have fallen foul of the hackers, and helps them take appropriate action, does not look particularly official, and would be hard to tell apart from a phishing attempt.
This, combined with the fact that ill-intentioned and opportunistic people often try to take advantage of a hack such as this, by sending out fake emails purporting to be the company involved, in order to gain access to a victim’s information for their own purposes, is a particularly egregious error.
The international perspective
Hacks and data breaches of this kind, if not this scale, are depressingly regular. But one notable
trend is that companies in this sector seem particularly vulnerable. Cathay Pacific was a recent victim, and British Airways has suffered its fair share of problems. And now the world’s biggest hotel company has fallen foul of hackers, too.
The reason for this, onlookers say, is the wealth of sensitive information these types of organisations hold. Financial and identity information means that a database of this kind will be highly valuable to those looking to commit identity theft.
But by their very nature, organisations in the travel and tourism industry are international. And the response that consumers and victims can take to these types of hacks varies greatly from country o country. In Europe, data protection rules are very strong. In China, for instance, they are much weaker.
But rather than looking at the problem from that side, perhaps companies should be investing in cybersecurity skills. As we noted last week, skills in this area are in high demand, but people with the necessary ability are lacking.
So for those in the industry, it’s clear that having these skills are more important than ever – they could one day save a company from a very expensive lawsuit.