Marriott Breach Spurs New Calls for Government Action

The massive data breach Marriott has just revealed has prompted new calls from Capitol Hill for the government to step in and protect the massive amounts of consumer and other data online, whether from hotel chains or Big Tech data collectors.

“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans," said Sen. Mark Warner (D-Va.), vice chair of the Senate Intelligence Committee and co-founder of the Cybersecurity Caucus. "Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

That was seconded by Sen. Richard Blumenthal (D-Conn.), ranking member of the Consumer Protection Subcommittee. 

“Marriott’s failure to prevent the theft of private data has placed hundreds of millions of customers at significant personal and financial risk," he said. "The apparent failure to detect and remove hackers from its systems for four years calls into question whether Marriott took the security and privacy of its customers seriously.... Once again, Americans are left to pay the substantial cost of corporate negligence. Congress must move forward to end this cycle of broken promises. We must set clear consumer data protection standards for all companies — whether they’re hotel chains, online retailers, or big tech — and severe penalties for those who fall short.” 

Just this week at an oversight hearing, Blumenthal slammed the Federal Trade Commission for not doing enough to companies accountable for breaches. He said that hearing was about whether the FTC was ready and willing to take on hard problems and "robustly" protect privacy, something he suggested they have not had either the resources or the will to do up to this point.

“Checking in to a hotel should not mean checking out of privacy and security protections,” said Senator Ed Markey (D-Mass.) another veteran voice for privacy protections (as well as a noted phrase-turner). "Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks. Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon. The American people deserve real action. It’s time for Congress to pass comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them.”

Marriott Friday disclosed what it called a "Guest Reservation Database Security Incident" That translated to a hack of the information of about a half-billion of those guests. The information included for some or all of those guests credit card numbers, name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

While the credit card numbers were encrypted, and that it is a two-step decryption, Marriott said it could not be sure the thieves did not get both of those, too.

Marriott reported the incident to law enforcement as well as outlining it on its Web site.

Marriott was informed in September of a possible breach, and found on investigation it dated from 2014.

“We deeply regret this incident happened,” said Marriott president Arne Sorenson. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Consumer Watchdog used the breach to pitch California's Consumer Privacy Act, which passed earlier this year.   .“Currently many companies opt for inadequate data security because it’s cheaper than the consequences of a data breach,” said Privacy and Technology Project Director John M. Simpson. “The Consumer Privacy Act fixes that and would hold companies accountable.  That’s why big business and big tech are fighting to weaken it.”

John Eggerton

Contributing editor John Eggerton has been an editor and/or writer on media regulation, legislation and policy for over four decades, including covering the FCC, FTC, Congress, the major media trade associations, and the federal courts. In addition to Multichannel News and Broadcasting + Cable, his work has appeared in Radio World, TV Technology, TV Fax, This Week in Consumer Electronics, Variety and the Encyclopedia Britannica.