Marriott has provided an update on the SPG reservation data breach that was first disclosed on November 30th, 2018. Key points from the update:
- 25.5 million passport numbers were included. Of these, 5.25 million were not encrypted.
- 8.6 million encrypted payment cards were involved. No evidence to suggest that the master key was accessed. Although Marriott is admitting that card data might have been entered in other fields and these fields were not encrypted.
- Marriott has identified approximately 383 million records as the upper limit for the total number of guests involved in the incident. Originally this number was 500 million. They go on to state that fewer than 383 million unique guests are affected, but they aren’t able to state the exact number of unique guests (very reassuring…)
I got in a debate with somebody the other day regarding this breach, they said this really wasn’t Marriott’s fault and they were a victim of this whole mess as the SPG was the one who had their systems breached. I argued that Marriott should have done due diligence regarding information security before acquiring SPG. I’m not an information security expert, but not encrypting all passport numbers seems like a fairly massive security flaw.
Until the penalties for data breaches are increased, they will continue to happen at an alarming rate. Marriott seems hell bent on pushing the narrative that Chinese state agents were responsible for the hack, but in my mind that only makes the importance of information security even more important not less. Companies have a responsibility to keep private information private and if they fail to do so they should be punished harshly.
