Another day, another data breach.
This time, it’s 500 million identities stolen over a four-year period from the Marriott hotel chain. It’s one of the worst digital data thefts yet, but there’s no point panicking now. The time to panic was decades ago. Once we let corporations and governments stash our personal data in massive computer databases, we signed up for a future of stolen secrets and vanishing privacy.
How did the Marriott thieves manage to get in? With relative ease, probably. All it takes is one careless employee clicking on a seemingly innocent e-mail that installs malicious code on a single computer. That infected machine can spread its toxins through whole networks by planting programs that capture passwords and scoop up stockpiles of valuable information. From public schools to the Pentagon, no network will ever be safe because networks are operated by humans.
Indeed, the data stolen in the Marriott hack had probably been stolen before in some previous assault. Just last year, a breach at the massive data brokerage Equifax exposed immense quantities of sensitive information on 147 million Americans, including driver’s license and Social Security numbers. That single break-in captured personal data on 45 percent of the US population. Throw in countless other identity hacks over the past decade, and it’s a near-certainty that nearly every American’s private data is private no longer.
Long before the Marriott breach, data security researcher Brian Krebs began issuing a somber warning: “Assume your credit card data is for sale on the underground, and assume your Social Security number and other static data are for sale,” said Krebs, publisher of the KrebsOnSecurity website, “because it probably is.”
This doesn’t let Marriott off the hook. The breach occurred in the reservations database of Starwood Hotels and Resorts, a company Marriott acquired two years ago for nearly $14 billion. Apparently, none of the money went for an upgrade to Starwood’s data security systems because the breach began two years before Marriott made the acquisition and continued for two more years under new management.
Jake Olcott, vice president of communications at BitSight, a Boston-based data security company, said this suggests that Marriott failed to exercise “cyber diligence.” Olcott said it is a common problem when companies merge because “the IT and IT security folks are often not brought into the transaction until very late in the deal flow.” By then, both buyer and seller aren’t eager to hear any bad news that might derail the transaction, so any bad news about weak network security may have been shoved into the shadows.
Is that what happened this time? We may find out when the lawsuits are filed. At the least, the Marriott case is a good reason to insist on tougher state and federal sanctions against corporations that misplace our personal data. If Marriott had to pay even $100 for every stolen data file, it might have paid closer attention. (Under a new California law, consumers can sue for up to $750 when their information is lost.)
For now, we’re the ones who’ve got to pay attention. Check whether you’ve stayed at a Starwood property anytime since 2014. (For what it’s worth, Marriott says its own separate reservation system was unaffected.) If your data may have been stolen, it makes sense to sign up for a credit freeze to prevent criminals from signing up for credit in your name, and to keep an eye on your bank and credit card accounts, to spot illicit withdrawals and purchases. Marriott is providing potential victims with free access to a service that searches sites that trade in stolen personal information.
Indeed, these are sensible moves for all of us, even those who have never stayed at a Starwood. Wherever you stay, your personal data has probably already checked out.
Hiawatha Bray can be reached at email@example.com.