In testimony to a Senate Homeland Security and Governmental Affairs subcommittee, Marriott president and CEO Arne Sorenson laid out potential changes to its cybersecurity protocols and apologized for the breach of Starwood's reservation system. Are they enough?
Sorenson said Marriott is working through how best to maintain travelers' information. "Part of our strategy going forward is to rely on encryption and tokenization to say, 'Whatever data we keep in this space, for example, it should all be encrypted.' That, by itself, is not necessarily a totally adequate defense, but it is one of the tools we should use." Thomas Jackson, chair of law firm Phillips Nizer's technology practice group, told BTN he worries that Marriott does not have a clear plan to prevent future breaches.
Sorenson said Marriott is considering decentralizing data collection so it remains at individual hotels. He acknowledged, however, that decentralization creates problems of its own. Jackson explained: "Typically, large enterprises have far more sophisticated means of protecting against intrusions than smaller businesses do." He said that if Marriott does decentralize its data collection, it most likely would not impact the company's ability to use customer data in its loyalty program, Marriott Bonvoy, which Sorenson recently categorized as Marriott's most important brand.
Marriott plans to encrypt all passport information, and the company is analyzing how long credit card information should be retained. Sorenson said dozens of countries require Marriott to retain passport data; some of them require the company to keep photocopies of passports. Jackson noted, "I found the handling of the passport information to be particularly alarming." The information does not need to be held indefinitely, he said, and the requirements for holding passport data can be met by "simply requesting the data anew at the point they are required to collect it."
Marriott has not encountered "any substantiated claims of loss from fraud attributable to the incident," Sorenson said. The security firms retained by Marriott have found no evidence that data from the breach has been put up for sale on the dark web. Sorenson noted that passport numbers themselves cannot be used for travel or to obtain new passports.
Secretary of State Mike Pompeo stated last year that China was responsible for the breach of Starwood's system, but Sorenson said, "I feel quite inadequate about even drawing inferences from the information we have obtained" about who is responsible.
Marriott was alerted on Sept. 8 of a potential breach of Starwood's system. On Nov. 19, Marriott determined that guests' personal data had been affected. The company publicly announced the breach 11 days later. Jackson said Marriott waited too long to reveal the potential breach to the public. "I am not a big believer that a company that is breached should wait to inform the affected parties until [the company has] more information," Jackson said.
In the meantime, California is considering legislation around data privacy. One bill, whose sponsor said it was motivated by the Starwood breach, would require companies to notify customers not only when Social Security numbers, driver's license numbers, credit card numbers and medical information are affected but also when passport and biometric information is breached. A second bill would expand the basis on which consumers can sue, under the California Consumer Privacy Act, companies that don't comply with consumer requests for how their personal information is used.