Personal information from about 500,000,000 people who made reservations at a Starwood hotel was stolen by hackers.
These hotels include Sheraton, Aloft, W Hotels, and Westin Hotels. Marriott acquired the Starwood Group back in 2016, but the compromise started way back in 2014 before the acquisition took place.
Hackers had full access for four years
This means that the hackers had plenty of time to learn, gather data, and exploit that data. The hackers had access to everything in the system and used the Starwood system as their playground for four years.
A data loss protection (DLP) system was in place to make sure that sensitive data does not leave the network. But, there is an easy way to get around DLP systems. DLP systems have to be able to read communications to identify that it is sensitive and act to stop it. Hackers have to encrypt the data so that the DLP system is unable to read it. Then they export away – taking the encrypted data at will.
Of course, exporting vast volumes of encrypted data will itself raise a red flag. But the hackers had plenty of time. Over 4 years the data could easily have been encrypted and dripped out in smaller batches.
So, what will happen next?
The investigation will continue. Likely, the full extent of the breach will not be known for some weeks. The breach will continue to make headlines for weeks as more is learned and disclosed to the press.
People will be fired.
Marriott will need to make an example of walking one or more of their technology folks out the door. The breach should have been detected before the Marriott acquisition. Someone did not do their homework, and that person or people will be ousted to appease the shareholders.
Marriott will pay a fine
Just like in the case of Yahoo, Marriott will be liable for some fines. With GDPR the penalty could be as much as 4% of profits. With the threat of a fine looming, the stock price will be depressed for a bit. But this one-time event will not affect the stock price in the long term.
There will be a class-action lawsuit
Many law firms will be lining up to profit from Marriott’s woes. The suits will drag on for years, and in the end, the lawyers will make a boatload of money, and the people affected will get a coupon for a discounted hotel stay.
Marriott will not pay to replace passports
Leadership at Marriott stated that they would do all that they can to support their customers. But this will not include replacing passports of their customers.
Under pressure from Lawmakers, Marriott quickly agreed to pay for passport replacements for the data breach victims. But this will never happen. The cost of replacing a passport is currently $110. The number of passport numbers that were compromised are numbered in the hundreds of millions.
This makes it impossible for Marriott to replace all of the passports that were compromised. Footing the bill would put the hotel chain into bankruptcy.
The damage will not be known
The actual harm from the data breach is already done. People’s identities have likely already been stolen. Credit cards have been fraudulently used for purchases. The perpetrators have probably already made millions by quietly selling the data over the past four years.
At this point, it will likely be impossible to attribute a quantitative cost of the breach.
People will still use Marriott
With the breaches of Yahoo, Equinix, Home Depot, and hundreds of other companies, people have begun to become numb to the effects of large scale data compromises.
Credit card companies already protect the consumer, so credit card fraud has become just a minor inconvenience for people.
Identity theft is a bit more of a mess to clean up, but even this is no longer a life-impacting event in most cases.
Marriott and the Starwood family of hotels will continue to be profitable. Soon this data breach will be a story from the past. This breach will have almost no effect on the stock price over time.
Marriott will be forced to step up their cybersecurity efforts. Sometimes companies have to learn the hard way.
Donald Korinchak is a Cybersecurity Program Director serving customer in the Washington DC area. Donald holds an MBA from the University of Pittsburgh Katz School of Business. Donald is considered a thought leader in leadership and cybersecurity issues.