Computers and the internet revolutionized how companies do business. Organizations of all sizes and from any location are able to extend their reach to new and larger markets and to work more efficiently by using computer-based tools. But as with every valuable tool, not using it properly and securely can lead to disaster.
The corporate compliance team at Marriott learned this lesson the hard way. On November 30, 2018, Marriott International announced that its Starwood-branded hotels had suffered a breach of their reservation systems back in July of 2014. The breach, which exposed 383 million accounts and affected more than 500 million people, is the second-largest in history. It involved payment card information, guest records (including personal identifiable information such as name, address, and phone numbers), and passport numbers.
Although the breach was first reported in September 2018, Marriott didn’t disclose it until 11 weeks later, after completing an in-depth investigation. Performing due diligence into the details of the breach is expected, however, this situation had some additional complexities.
What Went Wrong
Although the details of what went wrong are not completely clear, there are several factors that may have contributed.
Marriott did not acquire Starwood until September 23, 2016, so the breach occurred prior to this merger. Therefore, the prevention and detection policies and system were under Starwood's cybersecurity program.
Furthermore, as a cost-cutting measure resulting from the merger, most if not all of the staff at Starwood Corporate, including those employed in information technology and cybersecurity, were laid off. As a result, the very people who would have had the most knowledge about Starwood’s network were now gone, making it difficult for Marriott to identify and address the vulnerabilities that resulted in the breach.
Another factor leading to the breach was poor data management. Although payment card information was typically encrypted, other personal identifying information and passport numbers were not.
Valuable Lessons from the Marriott Data Breach
Although mistakes can be destructive, they can also be instructive. Often, the most valuable lessons are those learned from examining life’s missteps. Corporate compliance personnel can avoid falling victim to a data breach by learning from Marriott’s mistakes:
Enforce Strict Security Procedures
Every business should have policies in place that delineate compliance requirements. Even basic everyday tasks, such as protecting confidential information, safe email opening, and not sharing passwords, still matter and should be continually reinforced among rank-and-file employees.
Execute Strong Data and Network Security
Any business that collects and stores personally identifiable information needs to utilize data encryption. Many companies already use encryption for customer payment cards, but the Marriott breach is an important reminder that other information, such as passport numbers and consumer contact information, is equally susceptible to data theft.
Network segmentation is another significant security measure and is required for compliance with the Payment Card Industry Data Security Standard (PCI-DSS), which governs organizations that collect and store payment card information. When designing a network, companies should use tools such as firewalls to segment their network, thereby limiting access between computers on the network and the internet. Another useful safeguard is to use intrusion detection and prevention tools to monitor the network for malicious activity, including anyone suspicious trying to log in or log out.
Implement Cybersecurity Training
Corporate compliance personnel should continually evaluate and reassess training needs, including both foundational and reinforcement training, to account for:
- New/merged employees
- New types of cyberthreats
- New business lines or systems
- Other changes that may affect company cybersecurity
React Quickly to Reports of Compromised Information
Even when a business takes steps to secure their customers’ personally identifying information, there may come a time when there is a breach of security. Several agencies, including the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the EU’s General Data Privacy Regulation (GDPR), as well as individual state departments, have regulations in place that require timely reporting of a breach.
In deciding if notification is warranted, consider the nature of the compromise, the type of information taken, the likelihood of misuse, and the potential damage that could arise from misuse.
Costly Consequences of a Data Breach
Not only can the loss or theft of data hurt a business brand and customer confidence, but it can also expose the company to the often-costly state and federal regulations that cover data protection and privacy. Data loss can also expose businesses to significant litigation risk.
Marriott reported costs of the incident at about $72 million and still faces a massive GDPR fine of over $123 million.
A Good Offense Is the Best Defense
Marriott’s data breach should be a clear lesson for corporate compliance individuals everywhere that it is critical to understand exactly what data or security breach regulations affect a business and how prepared the company is to respond to them. Employers who don’t already have protections in place should consider implementing a cybersecurity strategy to protect their own business, their customers, and their data from the growing threat of cyber breaches. It can be valuable to work with a knowledgeable compliance partner that can recommend next steps in building or improving your organization’s cybersecurity strategy.