mariott hotel data breach

Marriott’s 500m Record Breach – what they should have done

The massive 500m record breach of Marriott’s Starwood customer database is just the latest in a very long line of high profile, reputation-threatening data breaches.

“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.”

in 2017 alone, over 40 organizations including Equifax, Verizon, eBay and Uber were in the news having suffered costly and/or embarrassing data breaches. That seemed bad enough, but according to personal information security specialist IdentityForce there have already been three times as many in 2018 including Facebook, British Airways and the US Postal Service!

The even worse news for Marriott is that (unlike the companies hacked last year) they now face potentially a billion dollar fine under GDPR (4% of worldwide revenue) if they can’t demonstrate prompt, effective action to notify the relevant data protection authorities and affected customers – that’s in addition to the probable loss of business and immediate 6% decline in its share price.

Let’s remind ourselves of the main requirements of GDPR compliance in respect of customer data:

• Keeping customer data accurate, up-to-date and secure
• Proving consent for all use of customer data
• Responding to Subject Access Requests quickly
• Processing the “Right To Be Forgotten”
• Maintaining a complete audit trail of access and updates to customer data
• Notifying affected customers promptly in case of a breach

Obviously, Marriott are in breach of the first duty. Their abilities on their other responsibilities are about to be put under intense scrutiny by authorities, courts and the media. Note that Marriott “has not finished identifying duplicate information in the database” – they are obviously finding it difficult to assess (and notify) the actual scale of the problem. It’s also likely to make it a huge challenge to respond quickly to what are likely to be large numbers of Subject Access Requests, prove consent for customers who wonder why Marriott hung on to their data, or reliably erase records for (probably) hordes who will who demand the “Right To Be Forgotten”. With the volumes of data involved, it will require highly accurate, automatable matching – for example, if Marriott remove one or two instances of a customer but other occurrences remain undetected, they will not be fulfilling the deletion request properly. The situation might then be aggravated by marketing to the undetected customer duplicates, leading to further scrutiny and potentially more fines.

Let’s think about what might have been – earlier this year, another very large international hotel group acquired a worldwide licence for our contact data matching engine. Their motivation was primarily twofold: they wanted to improve the quality of matching behind their Single Customer View using best-of-breed matching and to bring it under the control of their corporate database system. From the available cross-platform, on-premise or cloud deployments, our client chose to integrate the matching engine into their Amazon Web Services Linux platform. They recognised that using a discrete system for customer data matching which involves exporting data from one system to another, perhaps via a flat file, makes it difficult to ensure absolute security while the data is in flight – and any security system is only as good as its weakest link. Other significant benefits of integrating matching within the corporate database are the access control and the auditability that this provides.

But let’s imagine that the worst happens and despite their customer data residing only in the most secure place it can be, inside their main database, our client is also hacked. The first difference is that they will be alerted quickly by the monitoring tools within their database, so they can react fast. Next, they can use their accurate, up-to-date Single Customer View (enabled by our uniquely effective customer data matching) to check how many and which customers were affected – this means that they can notify the authorities immediately with concrete information about the hack, as well as the affected customers. Then, our client would be well placed to handle the expected surge in customer demands for information, erasure etc.

The bottom line is that any CTO, CEO and board that is not doing their utmost to keep access to high volumes of customer data secure, or not making sure that the organisation can react effectively in the event of a breach, is betting the farm on thinking that “it wouldn’t happen to us”!