By now it is old news. Everyone has heard about the Marriott data breach. The headlines told the story: “GDPR May Add Up to $915M Marriott’s Data Breach Expenses,” proclaimed Forbes in a headline; “New Year, new tactics to keep your personal info safe after Marriott,” said the Los Angeles Times; “Marriott: Hackers accessed more than 5 million passport numbers,” stated The Washington Post.
And, it wasn’t really even Marriott—at least, not when it started. However, even suggesting that we can identify when the breach was initiated is a tenuous supposition. Perhaps the most frightening aspect of the entire debauched state of affairs is that no one truly knows who has the data and what they intend to do with it.
Yet, almost everyone leads with Marriott Hotels since it makes for a better soundbite. To be clear, it was Starwood’s guest reservation database that exposed up to 500 million records, which included the most personal and horrifically useful datapoints. Marriott inherited this mess when it acquired Starwood Hotels & Resorts Worldwide. The Marriott Hotels reservation system was not affected by the breach.
This breach of Starwood’s reservation system included names, addresses, phone numbers, passport numbers, birthdates, and genders in Starwood’s Loyalty Program account information. Starwood brands include St. Regis Hotels & Resorts, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Meridien Hotels & Resorts, and W Hotels.
What Happened to the Data?
As the horror gradually revealed itself similar to a slowly opening barn door on a moonlit evening in a Stephen King short story, it became clear that the breach had been lurking within the system for an indeterminate number of years. As per its main focus of news-entertainment, much of the media has focused on the more sensational sound bites and dramatic visuals as opposed to taking the time to ask the really important questions, such as: What happened to the data?
According to Bob Sullivan, an independent journalist and 20-year veteran of MSNBC.com/NBC news, “This is no ordinary credit card data heist. If the criminals were using card accounts stolen in this incident, banks would have figured out where the stolen cards had come from long ago. I doubt it’s an identity theft ring. There’s no way some kind of casual prankster or amateur would have kept up this effort for four years. Something more serious is going on here” (https://bobsullivan.net/cybercrime?/starwood-breach-what-should-you-do-that-depends-on-who?-and-why).
It was clear when the story first broke that Sullivan was one of the few with the insight and interest to consider the more pertinent ramifications of what happened. Very few outlets were addressing the real problems we should all be concerned about: Who did it? What happened with the data? What do they plan to do with the data? For 4 years the hackers had all this data, yet not a single credit card number was sold on the dark web.
We agree with Sullivan’s assessment that something more serious is going on. Our guess is that it is a state actor with a 100-year plan, such as China or Iran, but of course we are guilty of gross speculation. One may want to consider what other mega-actors, with 100-year plans, would hold onto the personal records of nearly every business traveler on earth for an indefinite amount of time. Who else has the resources and long-term determination with no apparent need to monetize this fortune?
We reached out to Sullivan, who graciously agreed to let us interview him and gather his thoughts on all things cyber and more specifically the Marriott subsidiary Starwood’s data breach.
The Sad State of Cybersecurity Today
When we asked Sullivan his thoughts on the state of cybersecurity today, his words were very chilling. “In almost all cases a company has to hire an outside company before they release how big a deal the break-in really is,” he said. Somehow, it is legal that companies get to hire lawyers and PR firms before they reveal to the general public that they have been robbed.
According to the official Marriott International News Center, “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott quickly engaged leading security experts to help determine what occurred” (http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database?-security-incident).
With all the money and resources available to a company such as Marriott, even it had to bring in outside experts to help determine just how big the data breach was. This makes Sullivan’s words even more chilling.
Marriott hired a new security officer in January 2018 and on its recent Form 10-K report identified a number of business risks around security. “Cyber-attacks could have a disruptive effect on our business,” the report noted. It added, “Changes in privacy and data security laws could increase our operating costs, increase exposure to fines and litigation.” In Marriott’s 2018 proxy statement (https://marriott.gcs-web.com/static-files/e8be6c13-f70c-4d5a-8d56-a46992c7edb8), it noted that the board of directors reviews the company’s cyber risk profile and is informed of specifics to Marriott’s cybersecurity risk program.
This should be of no surprise given that it is a well-known fact that hospitality is the third most frequently targeted industry, after retail and finance. Yet, with all of Marriott’s efforts, money, and resources, its subsidiary Starwood Hotels failed to protect its customers’ information.
The GDPR Effect
In May 2018, the EU’s General Data Protection Regulation (GDPR) took effect. This is something we have been writing about for years. Marriott could become the first major test case for Europe’s new stringent data laws. GDPR fines can be substantial for a serious violation—up to 4% of annual revenues. With revenues of more than $22 billion, a 4% fine could be levied if it’s found in violation of the new EU law.
Legislation similar to GDPR is long overdue in the U.S. A number of prominent CEOs have had to face the U.S. Congress over privacy transgressions. In 2017, the CEO of Equifax was put in front of the congressional cameras. In 2018, Mark Zuckerberg, the CEO of Facebook, was grilled by both House and Senate committees. Unfortunately, despite the seemingly genuine interest and effort of the congressional leaders, they were clearly ill-prepared to draw any substantial conclusions. So, nothing changes. With fines up to 4% of global revenues, we may see the effect of GDPR even in the U.S. Possibly major corporations will now at least consider privacy and security more seriously, given the fact the it will finally hurt the bottom line.
What’s Ahead: Sarbanes-Oxley Meets Cybersecurity
It is time to ask the question: Why is there not legislation similar to the Sarbanes-Oxley Act established as a set of federal requirements for U.S. corporations as it pertains to privacy and security? As a nation, we need to create a system of legitimate accountability for officers of corporate America. Too often, companies casually use personal data, especially when there is even a modicum of marginal profit. Frequently, security breaches are the result of negligence or simple indifference. And, in many cases, breaches occur from an obvious vulnerability that a company knew about many months prior but it neglected to take reasonable and necessary actions to address in a timely manner. Why is that? Is it because they simply don’t care enough?
The consequence for such negligence is typically a one-time write-down or momentary public exposure in front of American media outlets that are mostly looking for a dramatic story to lead with on the nightly news. In other words, it’s no big deal.
Often, corporate officers will be dragged in front of cameras and even get hauled before Congress to testify. Sadly, it’s cheaper many times for the company to pay the fines than to actually fix the root cause of the problem. This is not a new behavior from U.S. corporations where they compare the cost of fixing a product to the cost of lawsuits if they don’t. What is clear is that if we want companies to keep our data secure, then we must hold the corporate officers responsible. We need to make sure the penalties are severe for mishandling our data and treating our personal lives in the most negligent of manners.
The U.S. Border Needs to Get a New Type of Wall
It is apparent that U.S. corporations need to be held to a higher standard. It is also time to expect more from Uncle Sam. “Is it fair that Marriott has to defend itself from a state actor?” asked Sullivan. Let’s face it, we are at war. There is an old saying, “If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck.”
While we should expect more from U.S. corporations, the U.S. government needs to own the strategic solution to this problem. We need more programs similar to the FBI InfraGard Program (www.infragard.org). This is a program in which the FBI partners with corporations on cybersecurity. When a major event happens, the Department of Homeland Security contributes resources to address, minimize, understand, and fix the problem. Why not an agency similar to FEMA (How about Cyber Attack Task System [CATS])? While Trump fights for his physical wall, Congress needs to enact laws to hold corporations responsible and to also put the necessary funding, resources in place to build a cyberwall that keeps American citizens’ data safe.
When this information is used against us in the future, it will be 100 times more costly to fix than it would have been to put preventive capabilities in place.
Insurance Companies’ Exclusions
Today, it is commonplace for companies to buy cyberinsurance. Yet, if you read the fine print, insurance companies are not responsible for acts of war. It’s just a matter of time before one of the big insurance companies invokes its exclusion and decides not to pay a claim.
The Real Questions
Too often, news outlets focus on collecting the most dramatic details and not on providing us with accurate information about real problems. The key questions regarding the Marriott subsidiary Starwood’s data breach are: Who did it? What happened with the data? What do they plan to do with the data?
If we want our privacy and data to be respected, then we need to pass a law similar to Sarbanes-Oxley for cybersecurity. We need to create a system of legitimate accountability for the officers of corporate America. We need to impose fines that really matter to a corporation’s bottom line. We need to expect more from our government. The FBI program InfraGard is a step in the right direction. But no corporation has the skills and resources to protect itself from a large state actor. Corporations such as Equifax, Target, Marriott, and others need to know the U.S. government has their backs. We need to build another type of wall, a “cyberwall,” that helps keep our data secure.
In 1987, in a speech given in West Berlin, President Ronald Reagan said, “Tear down this wall,” calling for Mikhail Gorbachev to open up the barrier separating the east from the west. Our words to President Donald Trump are: “Build us a cyberwall.” This will be much more valuable to Americans than any other wall currently under consideration.
And, we need our CATS to extinguish the dragons—but most importantly we need more journalists such as Bob Sullivan asking the questions that really matter.