Marriott International, Inc., today announced a data security breach involving its Starwood reservation database over the course of four years that exposed information relating to approximately 500 million guests, triggering new calls for federal privacy and data security legislation.
New York state Attorney General Barbara Underwood (D.) swiftly announced the launch of an investigation into the Marriott data breach. “New Yorkers deserve to know that their personal information will be protected,” she tweeted.
The company said that on Sept. 8 an internal security tool alerted it of an attempt to access the database, but that subsequent investigation determined that “there had been unauthorized access to the Starwood network since 2014.”
“For approximately 327 million of these guests, the information [accessed without authorization] includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information,” Marriott said.
“We deeply regret this incident happened,” Marriott President and Chief Executive Officer Arne Sorenson said. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The company said it has reported the incident to law enforcement officials and has begun notifying regulatory authorities.
Marriott announced a dedicated website and call center to address questions about the incident and said it would begin notifying affected guests by e-mail today. It also said it would offer free monitoring, fraud consultation, and fraud reimbursement services from WebWatcher, depending on availability in a guest’s country.
However, public interest advocates criticized the conditions that would be imposed on consumers for monitoring and alerting.
Remington Gregg, counsel–civil justice and consumer rights at Public Citizen’s Congress Watch Division, said, “Not only are people wondering if their sensitive information has been compromised and is up for sale on the dark web, but the monitoring service, Kroll, that Marriott hired to alert customers if their data was stolen includes a jury waiver and class-action ban in its terms of service. This requires customers who later have claims against the monitoring service to file in Davidson County, Tenn. This attempt to keep customers from joining together if they have claims against the company and forcing them to sue in Tennessee repeats blunders of the Equifax consumer catastrophe. There, too, the monitoring service chosen by Equifax tried to impose restrictions on consumers’ ability to bring claims in the future.”
Mr. Gregg added, “Kroll should immediately revise its terms of service to allow those impacted to sue in convenient locations, should disputes arise, and without restrictions on the ability to join together with similarly situated consumers. Still, the biggest duty falls on Marriott. As the company moves to mitigate a data breach that speaks to its own failures to properly protect the personal, sensitive data it collects from customers, it must affirmatively guarantee that its already victimized customers are not victimized again by unfair contract terms that limit their right to recovery in the event of misconduct by Kroll.”
Meanwhile, several Democratic senators and public interest advocates saw the breach as proof of the need for both federal and state laws to protect consumers’ data privacy.
Sen. Mark Warner (D., Va.), the vice chairman of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus, said, “It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”
Sen. Richard Blumenthal (D., Conn.), the ranking member of the Senate Commerce, Science, and Transportation Committee’s subcommittee on consumer protection, product safety, insurance, and data security, said, “Marriott’s failure to prevent the theft of private data has placed hundreds of millions of customers at significant personal and financial risk. The apparent failure to detect and remove hackers from its systems for four years calls into question whether Marriott took the security and privacy of its customers seriously. American consumers expect that companies entrusted with their credit card information, passport numbers, and other sensitive personal data are taking necessary measures to protect it from malicious actors.”
Sen. Blumenthal added, “Once again, Americans are left to pay the substantial cost of corporate negligence. Congress must move forward to end this cycle of broken promises. We must set clear consumer data protection standards for all companies — whether they’re hotel chains, online retailers, or big tech — and severe penalties for those who fall short.”
Senate Commerce Committee member Ed Markey (D., Mass.) said, “Checking in to a hotel should not mean checking out of privacy and security protections. Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks. Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon. The American people deserve real action. It’s time for Congress to pass comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them.”
Mr. Gregg of Public Citizen’s Congress Watch Division also took the opportunity to call for “a strong federal law that allows individuals who have been harmed by data breaches to hold companies accountable.”
Consumer Watchdog pointed to the news as evidence of the need for the California privacy law passed earlier this year (TR Daily, June 29).
“Businesses are already working to weaken the law, the strongest privacy law in the nation which takes effect in 2020. California Legislators must resist those efforts,” Consumer Watchdog said in a press release. “At the federal level, Congress should not bow to pressure by business and tech companies to enact a weak national law to preempt stronger state protections,” it added.
The California Consumer Privacy Act does not take effect until 2020. If it were in effect now, it “would hold Marriott responsible and the company would face fines if the breach occurred because the hotel giant had mishandled its customers’ data. Victims would also be able to sue the company under the law,” Consumer Watchdog said. —Lynn Stanton, [email protected]
Interested in submitting an article?
Submit your information to us today!Learn More