Taylor Telford and Craig Timberg, Washington Post:
Marriott said Friday that hackers have had access to the reservation systems of many of its hotel chains for the past four years, a breach that exposed private details of up to 500 million customers while underscoring the sensitive nature of records showing where and when people travel — and with whom.
The breach of the reservation system for Marriott’s Starwood subsidiaries was one of the largest in history, after two record-setting Yahoo hacks, and was particularly troubling for the nature of the data that apparently was stolen, security experts said. That includes familiar information — such as names, addresses, credit card numbers and phone numbers — and also rarer prizes for hackers, such as passport numbers, travel locations and arrival and departure dates.
The potential value of such information on such a large percentage of the world’s travelers triggered speculation that Marriott may have been the target of nation-state hackers seeking to track the movements of diplomats, spies, military officials and business executives. Yet even if the hackers were mere criminals in search of profit, such data offered the raw material for a range of possible misdeeds, including identity theft.
The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.
Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.
No corporation should have the personal details of 500,000,000 customers. That’s too big. It’s too much market. And, as we now know, it’s too risky.
The biggest value from GDPR and the like — I can say this from experience — is you get to challenge businesses to justify if they really need to store data — with a legal requirement to back question. If you ask them to inventory data they usually just say delete it instead.
Think about it: a breach of tens- or hundreds-of-millions of individuals’ extremely private information — including, in this case, passport numbers and hashes of credit card numbers — couldn’t happen if the system were designed to purge this information at the earliest possible chance.
The market doesn’t punish incidents like these.1 Stricter regulation — designed carefully by data security experts — is needed to both reduce the amount of personal details companies are allowed to accumulate, and provide a framework for how information should be stored.
On a related note, Equifax’s stock almost recovered to its pre-breach price in September before it dropped again in October by a similar amount as just after the breach announcement. The reason? A mediocre financial quarter with a poor forecast for the current quarter. Call me crazy, but a company should not be punished similar amounts by shareholders for performing a little below expectations as they are for letting third parties pilfer the sensitive details of about a hundred and fifty million people. ↩︎