Marriott data breach: More than 5 million passport numbers stolen
CYBERATTACKS are getting more sophisticated everyday, and they’re raising questions about whether current approaches to cybersecurity are sufficient to deal with the threats.
Recently, hackers managed to breach into Marriott International’s system and accessed hotel guests’ private data — including names, credit card numbers, mailing addresses, and passport numbers.
The original estimate of the number of guests that were affected was upwards of 500 million, but the hotel group last week downsized the number of people whose data was compromised.
Following an investigation involving forensics and analytical team, the world’s largest hotel now believes that up to 383 million guests’ data were hacked into.
Sensitive data stolen
Among the information that was stolen in the breach included name of guests along with sensitive information such as phone numbers, credit card information, emails, travel itineraries, and passport numbers.
Marriott said that hackers managed to get away with 5.25 million unencrypted passport numbers as well as 20.3 million encrypted passport numbers.
In a statement, it said, “There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.”
Beyond that, 8.6 million credit card numbers were also stolen, and investigations are ongoing in regards to how many unencrypted credit cards were stolen.
The hotel has offered to pay monetary compensation to replace the passports of affected guests, providing that they are indeed a victim of the breach, which could cost the company about US$577 million.
At this point, it is unclear who is responsible for the breach, though investigators may have some theories.
Even with the revised figure, the Marriott data breach remains one of the most significant data breaches in history, more than double the size of the Equifax hack that affected 147.7 million people in 2017.
Are cybersecurity measures adequate?
Alarmingly, data breach incidents are becoming far too common, and companies that collect and store data of millions are especially more likely to targets. Popular tech companies such as Facebook and Reddit were victims of a cyber attack just last year.
Tech companies are also facing increased pressure from regulators and authorities in various countries to step up their cybersecurity measures and do more to protect consumer data.
In 2017, China rolled out a comprehensive data protection regulation holding companies responsible for data protection compliance, while in Singapore, changes to the Personal Data Protection Act have been rolled out that contain provisions similar to the EU’s GDPR.
The Marriot breach and the ones preceding it could be an indication that the current security strategies are not measuring up against sophisticated, targeted attacks and threats, and there could be more companies whose data has been breached but has not been discovered yet.
Enterprises, both big and small, have to fundamentally re-think their approach to cybersecurity, and consider adopting more modern and futuristic technology such as AI, automation, and analytics in securing their data against cybercriminals.