Bench & Bar of Minnesota is the official publication of the Minnesota State Bar Association.

The Marriott breach: four years?

The recent Marriott breach resulted in the theft of data regarding 500 million guests. To many, however, the most troubling aspect of the breach is not the sheer number of people affected, but the fact that the breach was ongoing for four years. For four years, Marriott did nothing to stop the leak of customer information to cybercriminals. 

In its official statement this past November, Marriott explained some elements of the information that had been compromised: “For approximately 327 million… guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference.” Financial information was also compromised; it was encrypted, but Marriott does not know whether the criminals also obtained the encryption key. This breach is definitely noteworthy because it was determined that the affected properties were being accessed since 2014.

For most of us, keeping up with the latest large-scale data breaches and checking on the status of our personal information in each case would be a full-time job. As you read this article, there is probably another huge data breach happening that will not come to light for a year or two. But there is always something to be learned from these breaches and they should always inspire a renewed commitment to cybersecurity measures. 

The length of time that this breach was happening indicates to me that Marriott now needs to work on developing a culture of security at every level of management. From the person at the front desk taking reservations to the people working in giftshops to the CEO, cybersecurity needs to be a priority. This company is a prime example of an organization whose apologies are only drops in the bucket in view of what needs to be done to restore customer confidence. 

From a technical perspective, it is possible that Marriott had very strong defense practices in place. But strong cybersecurity practices require much more than technology and network defense. No matter what Marriott had in place to protect itself, it is clear that the security setup was a “set it and forget it” affair, with very little done to maintain it or support employee education about the human element of security. 

The weakest link in any cybersecurity plan containing both proactive and reactive measures is always going to be the human element. No matter how strongly you defend your networks and critical systems, one click by an employee on a malicious link in a phishing email can easily undo all of that. Without education, organizations cannot marshal the resources necessary to develop strong cultures of security. Reactive strategies for when things like this do happen are just as important as investing in prevention.

For organizations and businesses, investing in cybersecurity and paying attention to news of large data breaches like this is important to learn lessons about defense and appropriate response. Allowing a breach to continue for four years is totally unacceptable and organizations can learn from Marriott’s mistakes in that regard. 

For individuals, I think the lessons for personal security are a bit different. Reviewing Marriott’s webpage, I discovered that they offer a call center for people to check up on their personal information, as well as a dedicated website, email notification services, and a service called WebWatcher to scan the internet for one year and alert affected guests of any traces of their personal information. 

While it is critical that Marriott take responsibility, and offering these services seems appropriate, the average person should realize that if their personal information hasn’t been compromised by this breach, odds are it has already been compromised through one or more of the other breaches that has occurred or is occurring right now. To be proactive about personal cybersecurity, taking advantage of the many services that breached companies offer may seem like the right thing to do in order to best secure your information. But it is ultimately difficult to determine how useful these options are—and important to bear in mind that once your information is out there, no measure is going to get it back. 

While I have mixed feelings about any service that scans the internet for personal information, being mindful of signs of fraud is important. In the wake of the Equifax breach, many froze their credit reports and became more mindful about monitoring their credit for any signs of fraud—such as new credit lines of which they were unaware. 

Many are frustrated with the continually growing list of companies and organizations that cannot seem to keep our data and personal information safe. As we head into 2019, it may be advisable for our nation to think more seriously about cybersecurity-related regulations for handling consumer data. Even if we can’t expect a 100 percent success rate, consumers should be able to have some faith that if a breach like this does happen, it will be addressed immediately—not four years after the fact.



MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 trials. He is a member of the MN Lawyers Professional Responsibility Board.  

Leave a Reply

Articles by Issue

Articles by Subject