Follow Datanami:
December 11, 2018

Data Breaches and Abuses Abound, But Regulatory Appetite Appears Lacking

via Shutterstock

The holiday season brought no respite from the recent spate of data breaches that have compromised the private data of millions of Americans, with Marriott International bearing the brunt of the bad news. However, despite a Congressional report taking Equifax to task for the massive 2017 breach, there appears to be little appetite for tighter regulation at this time.

Marriott is the latest American company to lose control of its customers’ data. In late November, the hotel chain announced hackers had infiltrated its guest reservation database, which stored the personal data of more than 500 million customers who have stayed at Marriott, W Hotels, St. Regis, Sheraton, Westin, and several other hotel chains that are part of the Marriott/Starwood brand.

The company’s investigation, which began in September of this year, revealed that hackers had been accessing that database since 2014, the company says. “Marriott deeply regrets this incident happened,” the company wrote in an email to customers, including this editor. In response to the breach, the company has set up a call center where impacted customers can get information. It also offered to provide impacted customers with a year’s subscription to an identity theft protection service free of charge.

The Marriott data breach is an example of poor data management practices on the part of the hospitality industry, according to Rob Perry, vice president of product marketing at ASG Technologies.

“The hospitality industry seems to be especially vulnerable to data breaches, and needs to up its data management focus,” Perry says. “The Marriott breach is just the most recent in a string of hospitality industry breaches (Radisson suffered one in September as well), showing that organizations are under continual attack and must remain diligent in protecting the privacy of their customers’ data.”

The size of the Marriott data breach – more than 500 million people, including 327 million who lost some combination of name, mailing address, email address, phone number, Starwood Preferred Guest (SPG) account information, birthdate, passport number, and travel information — was also noteworthy. By comparison, the Equifax hack of 2017 compromised data on 143 million people.

“A breach of this scale is of enormous consequence and is further evidence of the need for consumers to be actively preparing for data breaches,” says John Heath of Lexington Law, a law firm that helps consumers repair damaged credit. “If they weren’t exposed in this SPG/Marriott breach, they may be a victim of the next breach.”

Hackers had access to Marriott’s customer reservation database for four years before the company discovered the intrusion (BeeBright/Shutterstock)

The fact that Marriott/Starwood breach went on, undetected, for four years should serve as a wakeup call for companies to investigate and fix their data security problem, says Jim Barkdoll, the CEO of Titus, a provider of data discovery and classification solutions.

“It’s the data, stupid,” Barkdoll says, channeling his inner James Carville. “A lot of attention is being paid to access, but the fundamental question that needs to be asked is around data. How was the data protected? Was the data even protected? Moreover, as Marriott wasn’t aware that this database existed for years, how can enterprises find where their critical data is being stored?”

While the massive Marriott/Starwood breach grabbed headlines, there have been plenty of over noteworthy data breaches in just the past couple of weeks, including Quora, Dunkin’ Donuts, Signet Jewelers (owner of Zales, Kay, and Jared) and Amazon India. Over the past two years, the number of companies reporting breaches has grown considerably and includes GoDaddy, Orbitz, Yahoo, Google, Facebook, Dropbox, the Democratic National Committee, and the National Football League, among others.

Just as news of the Marriott/Starwood breach was slowing down, the House Oversight Committee released a 96-page report on the Equifax breach. The report was a scathing indictment of what it dubbed “poor digital hygiene” at the Big Three credit bureau. “Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented,” according to the report, which was prepared by the committee’s Republican staff.

However, Democrats on the committee took their Republican colleagues to task for failing to recommend regulatory steps to address the growing challenges around data privacy and security. “This was a missed opportunity to convert the Committees’ oversight efforts into concrete reforms that would help prevent future data breaches, hold companies accountable, and protect American consumers and their sensitive personal information,” the Democrat’s report stated.

Meanwhile, Google CEO Sundar Pichai, who spurned an invitation to testify before Congressional lawmakers earlier this year, will finally testify in Congress today about the data breaches associated with Google+, its controversial decision not to participate in a Pentagon project, to respond to accusations of political bias in its search results and YouTube, and whether it will build a search engine for China that censors results.

Americans have grown numb to data breaches, studies show (gagarych/Shutterstock)

While greater regulation of American companies is one way to boost the security of consumer data, some in the industry suggest that the American people need to be more aware of how their data is being used or abused. If people were more aware of the ways that companies are gathering and processing their data, they might be more inclined to demand reform from legislative bodies, the theory goes.

Earlier this year, the security company NordVPN released an analysis of Census Bureau Data that found Americans are actually growing less concerned about the security of their data, despite the fact that the actual security of their data is going down (if the number of data breaches is any indicator).

The study found that the proportion of households reporting security concerns fell from 84% in 2015 to 73% in 2017. What’s more, those who said privacy concerns stopped them from doing certain online activities dropped from 45% to 33%, the company says.

“Privacy breaches are definitely on the rise,” said Marty P. Kamden, CMO of NordVPN. “Unfortunately, recent data shows a decline in security concerns, as people are becoming numb to growing threats, which can lead to even bigger data theft. People simply do not see the effects of large-scale breaches, as big companies prefer not to talk about them.”

However, another study conducted by data analytics giant SAS found that privacy concerns have grown over the years. The study found that three-quarters of the 525 American adults surveyed said they’ve grown more concerned over the past several years.

“The survey results clearly show that consumers value their data privacy and are greatly concerned about potential misuse,” said Todd Wright, Global Lead for GDPR Solutions at SAS, a leader in analytics. “Companies need to reexamine how they handle data and analytics in all aspects of the business.”

Related Items:

Building a Successful Data Governance Strategy

Six Months In, GDPR’s Impact Uncertain In the U.S.

Thwart Breaches by Taking an Operational Approach to Cybersecurity Data