In the wake of the Marriott data breach, U.S. senators are calling for tougher privacy laws and stiff fines for organizations that do not properly protect consumer data.
Half a billion is a really, really big number – so big, it almost seems impossible to think that Marriott’s security was breached and every single one of those records made their way into the hands of the bad guys. But that’s exactly what happened to the Marriott Starwood Hotels acquisition in a breach that lasted 4 years!
China was suspected to be behind the attack on Mariott’s network – which took place in September – from the time the breach was discovered. That’s from various security firms’ assessments of the code and patterns used in the attack, which they deemed similar to previous operations by Chinese hackers according to a NYTimes article.
According to the NYT’s sources, the aim of this widespread attack is to gather intelligence on American spies, as well as to pick up data that could be used for counterintelligence operations, and to target individuals.
With all the data the hackers have gathered, they could track “which Chinese citizens visited the same city, or hotel, as an American intelligence agent who was identified in data taken from the Office of Personnel Management or from American health insurers that document patients’ medical histories and Social Security numbers.”
If that stolen data hits the Dark Web, it will be used for years to come by cybercriminal organizations that are phishing unsuspecting users with everything from emails citing “a problem with your reservation” to offers for hotel rooms at an unbelievable price, to simply using the personal details gathered to establish context enough to fool a recipient into taking the bait.
The breach is inexcusable and demonstrates even those organizations we believe are protecting their data the most can fall prey to attack and breach. Major lesson here: in any acquisition, the due diligence needs to include a very, very thorough cyber security assessment.
In response, U.S. Senators are calling for more stringent privacy laws – likely along the lines of the soon-to-be-implemented California Consumer Privacy Act of 2018 – to ensure those organizations holding material numbers of consumer records have proper security controls in place… and penalties for those who fall short characterized as “severe” and “aggressive”, even discussing jail time for senior executives that ignore customer data privacy.
Add to all this the wave of lawsuits against Marriott that have already begun. This is all indicative that consumer privacy is coming to a boil in the U.S., with tolerance on the part of consumers and Congress reaching an end.
It’s time for organizations like yours to get ahead of the consumer privacy game – while legislation may not exist yet, lawsuits certainly do. Protecting data with proper security controls, limits on privileged access, machine learning-based endpoint protection, and Security Awareness Training is all part of a necessary layered "defense-in-depth" security approach. Necessary… as in to protect your data, stay clear of the headlines, and avoid penalties from regulations.