“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”Arne Sorenson, Marriott’s President and Chief Executive Officer
Lessons from Marriott’s recently announced breach are lessons for all. Their challenge to address what happened, restore credibility, and take swift action to prevent another breach from happening should be a wake-up call for any enterprise, in any industry.
Early details suggest that encryption keys were stolen along with credit card information. While the keys may have been stolen, what’s more disturbing is Starwood's inadequate encryption key management policies and practices. The absence of breach detection, combined with the fact that it has been going on for four years under Starwood is nothing short of alarming.
Conversely, there's no doubt that Marriott International has established policies and procedures designed to protect data and detect malicious anomalies. This breach on Starwood’s data suggests either an internally initiated attack or one that occurred as a result of hijacking elevated credentials of a user. While distressing, it serves as a reminder that today’s security is at the heart of every digital business. Considering these lessons now can help drive good decisions and greater investments.
Common sense data storage
Payment information should never be stored alongside non-payment data - the best analogy is that it's like storing your keys, passport and money side-by-side when you travel. You're increasing the likelihood that everything that’s really important could be stolen in one shot. If best practices were not used by Starwood to properly store and protect the encryption keys, then this could be a much larger breach than what was originally reported.
Due diligence is more than just accounting
Marriott acquired the Starwood brand in 2016. The fact that this breach has been ongoing since 2014 suggests that the issue was not uncovered during the M&A process. Starwood was a large enough brand on its own to have a mature digital security process in place. Were red flags missed? Were security gaps not known to Starwood? Or perhaps, digital security was not even addressed at the time of the acquisition. Understanding a company’s current-state digital security program along with plans & allocated budget for advancing the cause is critical to ensuring you’re not overpaying for a company that hasn’t invested enough in risk mitigation. Compliance is a big part of vetting asset quality and liability during a business combination, security rigor should play a role.
Get ready for even more regulatory compliance & complexity
There are lots of best practices and guidelines for companies to consider when planning for & implementing digital security practices. But these concepts don’t ensure compliance; regulations do. Organizations will undoubtedly start to face increasing scrutiny and potential audits over how digital security keys are managed. Asserting that data needs to be encrypted or defining what algorithms should be used will no longer be sufficient. Companies need to be ready to prove that keys are being effectively managed and securely stored from cradle to grave and at all times in between. Compliance organizations and standard bodies will start looking to add this criteria and companies will need to be ready to respond when new standards are introduced.
Additionally, this incident has all the right elements to become the poster-child case for GDPR. Marriott is an international company and has a significant EU operations base. Beyond financial penalties, the fallout could drive even greater restrictions and impact privacy regulations & future legislation in the US.
Brand credibility is everything
Crisis management is something you plan for, but never really know what it’s going to look like until something happens. The Marriott brand has been around since 1927, transforming into the hotel brand it is today in 1957. It has spent decades building a reputation of trust that in just a few moments has taken a hit. Only time will tell how quickly patrons will forgive. It’s unlikely that they’ll ever forget.
Lawsuits, government intervention, customer mistrust. And don’t forget they’ve got a credit card division too. Marriott will be in the news for years to come, reminding us over and over again of the strife they suffered by a potentially lackluster digital security program.
Personal data is just that…personal
Companies are using data to personalize customer experiences. And it works … when the data is gathered with consent and the customer has demonstrated some level of interest. Think about how deep this goes – the data these hackers have goes beyond buying preferences. It could include where these travelers have been, what rooms they like, what food they’ve eaten, names & data of other family members who have traveled with them. Birthdays, passwords … patterns of when someone travels for business and is away from home. From a national security perspective, passport numbers and other information could be sold to adversarial nations. It sounds far-fetched, but this new world we’re living in has threats we’re not even aware of yet.
This breach could have happened to any company. Attackers are getting more and more sophisticated and it's impossible to foresee coming threats and prevent all breaches - but there are steps to take to make it harder like ensuring every asset is covered by a digital identity, and the devices you’re investing in have security incorporated into the design. Investing in the right things can reduce the likelihood of a breach while also reducing the negative impact of them when they happen.