Major Data Breaches Threaten Security

Hackers stole data from as many as 500 million guests who made reservations at Marriott's Starwood properties. At the same time, question-and-answer website Quora had the data of 100 million users compromised.

Background

A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorised to do so. Data breaches may involve financial information such as credit card or bank details, personal health information (PHI), Personally identifiable information (PII), trade secrets of corporations or intellectual property. Most data breaches involve overexposed and vulnerable unstructured data files, documents, and sensitive information. There have been several major instances of such breaches in 2018, such as the Facebook and Cambridge Analytica data breach in March, a data breach of 150 million accounts at MyFitnessPal, a British Airways data theft of about 380,000 customer records including full bank details, and more.

Quora is a website where questions are asked, answered, edited, and organised by its community of users in the form of opinions. The Quora Inc-owned website was founded in 2009 by D’Angelo and Charlie Cheever, two former Facebook employees.

Marriott International is an American multinational diversified hospitality company that manages and franchises a broad portfolio of hotels and related lodging facilities. Marriott International is the largest hotel chain in the world. Starwood Hotels and Resorts Worldwide, LLC is a subsidiary of Marriott International.

Marriot’s security team was hit by a breach in June 2017 that was detected and reported by independent cybersecurity researchers.

Analysis

About 100 million users of Quora were affected by unauthorised access to one of its systems by a “malicious third party,” the knowledge-sharing website said on 3 December. Account information, including name, email address, encrypted password and data imported from linked networks when authorised by users, may have been compromised. The company said it is logging out all Quora users who may have been affected to prevent further damage.

CEO Adam D’Angelo said that the company is in the process of notifying users whose data has been compromised. The company said that it has also notified law enforcement officials. The breach was discovered on 30 November.

On the same day, hospitality giant Marriott revealed a massive hack led to the theft of personal data of 500 million customers of its Starwood hotels. For 327 million of those guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption. There are two components needed to decrypt the payment card numbers, and, at this point, the Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

The breach was one of the biggest on record.

Prior to the four-year-old breach being discovered, Marriott suffered at least one previously unreported hack, including an infection that hit the company’s own cyber-incident response team. There is evidence that Russian cybercriminals have breached Starwood Web servers. Marriott’s security is now facing probes from multiple government bodies, including the New York Attorney General’s office. European regulators like the U.K. information commissioner, who have the ability to fine companies significant sums with the power of the General Data Protection Regulation (GDPR), are also looking into the incident. Marriott's stock plunged in the aftermath, falling more than 6% in trading.

Counterpoint

Although such incidents pose the risk of identity theft or other serious consequences, in most cases there is no lasting damage; either the breach in security is remedied before the information is accessed by unscrupulous people, or the thief is only interested in the hardware stolen, not the data it contains. Nevertheless, when such incidents become publicly known, it is customary for the offending party to attempt to mitigate damages.

The information stolen from the Marriot was encrypted and even if those responsible for the breach were able to decrypt it, unauthorised credit card charges are easy to reverse. A much more serious problem would arise from a new account being opened by identity thief using names, addresses, dates of birth, passport numbers and other sensitive info exposed by a data breach such a the one at Starwood Hotels. 

Assessment

Our assessment is that the Quora and Marriot data breaches prove that the cost of failing to protect customers data is far higher than investing in stronger cyber security. We believe that regulators need powers to issue heavier fines on companies that have failed to protect citizens’ data to deter negligence in the management of client information.

India Watch

As per a recent Alexa ranking, Indians are the second highest user base of Quora after Americans, and many Indians reported being logged out of their accounts. Marriot’s strong presence in India could mean that many Indians have had their data stolen in the Starwood hacks as well.