Personal information from about 500,000,000 people who made reservations at a Starwood hotel was stolen by hackers.
These hotels include Sheraton, Aloft, W Hotels, and Westin Hotels. Marriott acquired the Starwood Group back in 2016, but the compromise started way back in 2014 before the acquisition took place.
Hackers had full access for 4 years
This means that the hackers had plenty of time to learn, gather data, and exploit that data. The hackers had access to everything in the system and used the Starwood system as their playground for 4 years.
A data loss protection (DLP) system was in place to make sure that sensitive data does not leave the network. But, there is an easy way to get around DLP systems. DLP systems have to be able to read communications in order to identify that it is sensitive and act to stop it. Hackers simply have to encrypt the data so that the DLP system is unable to read it. Then they export away – taking the encrypted data at will.
Of course, exporting huge volumes of encrypted data will itself raise a red flag. But the hackers had plenty of time. Over the course of 4 years the data could easily have been encrypted and dripped out in smaller batches.
So, what will happen next?
The investigation will continue. It is likely that the full extent of the breach will not be known for a number of weeks. The breach will continue to make headlines for weeks as more is learned and disclosed to the press.
People will be fired.
Marriott will need to make an example walking one or more of their technology folks out the door. The breach should have been detected prior to the Marriott acquisition. Someone did not do their homework and that person or person’s will be ousted in order to appease the shareholders.
Marriott will pay a fine
Just like in the case of Yahoo, Marriott will be liable for some fines. With GDPR the fine could be as much as 4% of profits. With the threat of a fine looming the stock price will be depressed for a bit. But this one time event will not affect the stock price in the long term.
There will be a class action lawsuit
Many law firms will be lining up to profit from Marriott’s woes. The suits will drag on for years and in the end the lawyers will make a boatload of money and the people affected will get a coupon for a discounted hotel stay.
Marriott will not pay to replace passports
Leadership at Marriott stated that they will do all that they can to support their customers. But this will not include replacing passports of their customers.
Under pressure from Lawmakers, Marriott quickly agreed to pay for passport replacements for the data breach victims. But this will never happen. The cost of replacing a passport is currently $110. The number of passport numbers that were compromised are numbered in the hundreds of millions.
This makes it impossible for Marriott to replace all of the passports that were compromised. Footing the bill would put the hotel chain into bankruptcy.
The damage will not be known
The actual damage from the data breach is already done. People’s identities have likely already be stolen. Credit cards have been fraudulently used for purchases. The perpetrators have likely already made millions by quietly selling the data over the past 4 years.
At this point, it will likely be impossible to attribute a quantitative cost of the breach.
People will still use Marriott
With the breaches of Yahoo, Equinix, Home Depot, and hundreds of other companies people have began to become numb to the effects of large scale data compromises.
Credit card companies already protect the consumer, so credit card fraud has become just a minor inconvenience for people.
Identity theft is a bit more of a mess to clean up, but even this is no longer a life impacting event in most cases.
Marriott and the Starwood family of hotels will continue to be profitable. Soon this data breach will just be a story from the past. This breach will have almost no affect on the stock price over time.
Marriott will be forced to step up their cyber security efforts. Sometimes companies have to learn the hard way.