Yes, bad things happen to good companies and that is what happened to Marriott. Marriott is regularly celebrated as the finest international hotel chain with brands such as St. Regis; Ritz Carlton, JW Marriot, Sheraton, W, Weston, Courtyard and several dozen others. Its glistening brands are also matched by a reputation for execution efficiency and reliability. However, the recently revealed massive data breach tested that enterprise character – and it came through in flying colors.
Yes, the attack on part of Marriott’s systems jeopardized the private information of as many as 500 million customers, The customer data was carried in the Starwood Hotel frequent traveler system through its acquisition by Marriott in 2016. This hacking is second in size only to the Yahoo! data attacks in 2013 and 2014 of roughly 3 billion users. The company announced that an unauthorized party had been tapping into the database since 2014, revealing email addresses, passport numbers, payment information and travel preferences. Unlike the 2017 Equifax breach of 148 million people, it is believed that social security numbers were not accessed. Also, unlike the large data breaches at Equifax, Facebook in 2018 (50 million), Target in 2013 (40 million people), the company did not deflect, deny, or delay for months after the detected breach.
Instead, mindful of the new General Data Protection Regulation (GPDR) requirements in the EU, Marriott moved quickly. On September 8, the company discovered an intrusion had taken place and quickly went to work on investigating, but the hackers managed to conceal the precise nature of their theft through creating their own encryption of the purloined data while removing it. Thus, it was harder for Marriott to figure out what had been taken and who was victimized.
By November 19, Marriott was able to define what was stolen and then spend the next few days assembling a communication process through the Thanksgiving holiday, which included setting up a call center and a website to answer all questions from affected guests. Furthermore, after identifying an estimated 327 victims, the company allowed for a possible 500 million to avoid the slow drip of bad news unfolding at those other hacked firms. This response was accomplished in a week with the company giving its notification seven days after the breach was identified.
Marriott CEO Arne Sorenson, instead of hiding behind attorneys, came forward stating “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned be bet better moving forward.”
One of those lessons may be to make even faster public alerts after learning of such breaches, as now the GPDR requirements are for notification roughly three days after detection. Another may be to ensure elevated encryption of names, addresses and phone numbers, underlying credit card encryption keys.
This was not a case of incompetence. The CIO of the acquired Starwood unit, Martha Poulter, was the very highly-regarded previous CIO of GE Capital, and the company had made substantial investments in this field. Similarly, the chief information security officer through the data breaches at Yahoo! and Facebook was the same top-rated security superstar, Alex Stamos. Yet perhaps elevated privacy regulation in the U.S. would make it easier for CEOs to justify much larger expenditures on data security, given the centrality of such information to global commerce and the growing sophistication of Russian and other cyber-villains.
In a bold statement just last week, IBM CEO Ginni Rometty called for government action, stating, “In regulating tech, the government needs to focus on fixing the real problem …Tackling the real problem means using a regulatory scalpel, not a sledgehammer, to avoid collateral damage that would hurt the wider, productive and more responsible parts of the digital economy.”
As the European Union thinks about these issues, I would urge a focus on specifics, such as: 1) AI transparency and explainability and, 2) dominant platform liability. Additionally, e-commerce legislation, including the EU’s e-commerce directive, must be re-opened to consider new measures of liability. This is the first time a major tech CEO has called for specific regulations on AI transparency and liability. It’s no longer a case of IF there will be regulation, but when.
The stock bounce back of other hacked firms suggest that highly-profitable Marriott’s 5% stock hit is no cause for panic, but their responsible reaction is not cause for celebration either, given the risk to the public which remains. As Nietzsche reminded us, “What does not kill me makes me stronger.”