Lessons from the Marriott Breach

As many as 500 Million guests had their personal data stolen in a breach now believed to be the work of the Chinese Government. While the motive remains unclear, what is clear is that if YOU have ever stayed at a Marriott Hotel, your personal data, including passport data, name, address, phone, email and possibly credit card data, is now in the hands of the Chinese Government. Why are they interested in your personal data? And why attack a hotel chain? Why not a government database, a financial institution or a large retailer?

The simple answer to the first question is: Data has more than just monetary value. It can be compiled, cross-referenced with other data and used for blackmail, military intelligence and countless other reasons, monetary and non-monetary.

At this point, we all need to accept that at a minimum, our names, addresses, email addresses, telephone numbers and some of our payment methods and passwords have been accessed, sold, bought, cross-referenced and leveraged multiple times without our consent. Experian, Target, Marriott, Yahoo, eBay, Uber, Home Depot are just a few of the big hacks in recent years. Chances are, you've used one of these websites.

The Marriott hack exposes yet another layer in this complex web: Data breaches are easy espionage.

LESSON 1: YOUR DATA MATTERS TO POWERFUL PEOPLE

It's not just criminals who want your data. What could the Chinese Government want with Marriott data? Well, the early evidence suggests that Marriott, as a key vendor to the US Military, is storing data not just about US Military Personnel, but about their movements. That means that YOUR data matters as much as your customer matters to someone powerful. What could an intelligence agency do with your data? Determine spending patterns of Military Personnel? What flights they took? Where they took an Uber? What medical treatments they have recently had? What politicians they had dinner with?

LESSON 2: DATA INTEL IS NATIONAL SECURITY

We have known about this for a while, but the Financial Services, Tech and other industries have routinely resisted thinking of big data as a National Security concern, and have fought against legislation to tighten data security standards. We can now expect that argument to resurface, and even in a divided congress, we can expect additional legislation. It's time that the private sector changed tactics and sought to influence the simplicity, competence and future-proofing of legislation, rather than simply trying to kill it. At some point, we all lose financially if we are all trying to keep security costs down rather than admit that this is a huge private sector problem that needs to be addressed.

LESSON 3: TAKE GDPR SERIOUSLY

Marriott will be liable for a fine of up to $147 Million in the EU alone for failure to report under GDPR. It's hard to imagine any security measure that would cost so much that it would compensate Marriott for their massive liability under GDPR. Remember, GDPR is not so much an EU regulation as a global regulation protecting Europeans. If an EU citizen uses an American website to book a stay at Marriott in Asia, GDPR applies to the transaction because Marriott is active in Europe and is aware that the person booking the hotel stay is a European. It's time for American companies with business in Europe to take GDPR seriously!

LESSON 4: ENCRYPTION IS NOT ENOUGH

Marriott announced that they cannot confirm that encryption keys used to encrypt credit cards on their servers were secure during the breach. While the Chinese Government was likely more interested in the espionage value of the data than in the credit card numbers themselves, no such assurance can be guaranteed for other hackers. The North Koreans, for instance, could use fast cash any way they can get it.

LESSON 5: THE HORSE HAS BOLTED

It's too late to close the barn door. The horse has bolted. All of us now live in a world where our personal data is out there, being bought and sold over and over again. Pandora's box cannot be closed. We can't rescue the data. It's time to make the data meaningless with a comprehensive approach to new types of data that make the 'numbers' the hackers have harvested meaningless. They have your social security number. It's time to make that number useless. They have your passport number. It's time to make that number useless. Smart chips, biometrics and multi-factor authentication are a start, but a comprehensive change is needed. We all want to monetize our data, but it's time we all agreed on a comprehensive set of rules. That includes the private sector, consumers, and governments.