Turndown Service with that Hack: Marriott Hotels Announce Massive Data Breach
Marriott International, Inc., the world’s biggest hotel conglomerate by number of properties it owns, is the latest company to fall short in securing consumer privacy.
On November 30, 2018, Marriott revealed that its Starwood hotels, which include the W Hotels, Le Meridien, St. Regis, and Sheraton brands, has been the subject of a cyberattack over the past four years in a breach that has affected the personal information of some 500 million guests. According to Marriott, an as yet unidentified hacker penetrated the Starwood guest reservation system, copied guest information, and encrypted the copies, in an attempt to mask the breach from detection. The unauthorized access continued until September 2018, when Marriott’s security system finally identified the unauthorized access. At this stage, Marriott has not identified the extent of the data copied that has been made or disclosed to third parties by the hacker.
The scope of the information exposed by the breach is distressing. For an unlucky 327 million guests, the data compromised includes, among other information, a combination of passport numbers, email addresses, mailing addresses, phone numbers, dates of birth and gender. Further, Marriott is currently unable to confirm how many credit card or other payment card numbers have been duplicated, nor whether the hacker has obtained the decryption keys for the encryption used by Marriott to secure guest payment card numbers and expiration dates.
Marriott has begun sending email notifications to affected individuals and established a call center to answer questions regarding the incident. For US and Canadian customers the number is number 877-273-9481. Law enforcement officials and regulators in the UK and US have been alerted and investigations are underway.
Those who have been affected should take advantage of the free one-year enrollment in WebWatcher, a fraud-monitoring service that is currently being offered by Marriott. Those who have been contacted by Marriott, as well as those who have not yet been contacted by Marriott, but have stayed in a Starwood hotel in between 2014 and September 2018, can take protective actions, such as changing account passwords or implementing two-factor authentication, monitoring bank and financial accounts and credit card statements, and remaining vigilant when it comes to opening email attachments.
The Marriott breach serves as a useful reminder for all businesses to review their own security practices. Among the steps to consider are:
- Keep your firm’s system as secure as practicable. It is not possible to keep your system 100% secure, regardless of how much money you spend on cybersecurity. However, you can reduce your risk by having the latest antivirus, firewall, web browser and operating systems, and applying all patches and updates provided by software publishers.
- Prepare and maintain a written information security program. An effective written information security program will describe the measures that your firm is taking to protect the security and confidentiality of personal and other sensitive information that it collects and maintains. This program should be updated as necessary.
- Establish a records retention policy. Your firm should establish a records retention policy, which includes a requirement to destroy documents containing sensitive information that you no longer need, so long as you are not required to retain those documents under applicable laws.
- Prepare an effective incident response plan, and test it. If you have not done so already, your firm should have a data breach incident response plan in place, and that plan should be tested and updated regularly. Among other things, an effective incident response plan will specify which individuals will be contacted if a potential breach occurs, and will specify the steps to follow in responding to the breach.
- Back up your critical data regularly. Reduce the likelihood of losing your firm’s data in a “ransomware” attack or other disaster by maintaining regular backups of critical systems and data.
- Train your employees. A company’s own employees are a primary source of data security risk. Your firm’s employees should be trained on basic cybersecurity hygiene, and training sessions should be scheduled regularly. New kinds of threats are constantly emerging, and best practices are evolving. Your employees should continuously be up to date on what to do and what not to do.
- Limit access to sensitive information within your firm. Ensure that access to legally-protected and other sensitive information is limited only to those employees of yours that actually need such access. Not everyone in your firm needs to have access to the firm’s most sensitive information.
- Maintain physical security. Many firms focus intently on cybersecurity, as they should. However, physical security is also extremely important. Your firm should restrict access to its physical space to make it more difficult for intruders to gain access. In addition, paper documents containing legally-protected and other sensitive information should be kept in a locked cabinet or locked desk drawer.
- Consider obtaining cyber insurance. Cyber insurance coverage will protect your firm against certain losses that may occur in a data breach. Your insurance broker should be able to assist your firm in obtaining appropriate cyber coverage, and your legal counsel can help you understand the scope of that coverage.
For more information on the topic discussed, contact:
Cyber & Privacy Alert is a newsletter by Tannenbaum Helpern’s Cybersecurity & Data Privacy practice that covers emerging legal and business developments affecting cyber and privacy risks and regulation, and their impact on businesses.