Atlanta’s financial technology companies are watching closely after one of the world’s largest hotel chains, Marriott International, disclosed that the personal information of 500 million guests of its Starwood hotel properties may have been breached.
The information included names, birthdays, passport numbers, addresses and encrypted credit card numbers.
Marriott International said there had been unauthorized access to the Starwood network since 2014.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and chief executive officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Credit Card Encryption
Marriott said it learned of the breach on Sept. 8, but still doesn’t know if the hackers have the key or decryption tools to read the encrypted credit card numbers.
“If data is encrypted, it’s in a meaningless form unless you have a key that translates that data back into something that a person can understand. It will be gibberish otherwise,” said Kennesaw State University associate professor of information security and assurance Humayun Zafar.
Zafar said if the attacker has gained access to the decryption tools, it could cause legal and financial trouble for the hotel chain.
“Because at that point it is remotely possible that they are not compliant [with the Payment Card Industry Data Security Standard (PCI DSS)],” Zafar said. “Our financial systems pretty much rest on that. That’s a court case in the making.”
Atlanta-based attorney David Katz said credit card and payment processing companies are watching closely. Katz is on the board of directors of The Technology Association of Georgia’s financial technology committee and leads the privacy and information security group at the law firm Nelson Mullins Riley & Scarborough LLP.
He said since the cyberattacks on the Wyndham Hotels group in 2008 and 2009, hotels have been a “frequent target.” Katz said he wasn’t surprised by the Marriott International data breach, but he was surprised by the large number of people — half a billion — who may have been exposed.
Katz said the breach has a “ripple effect” in Atlanta. Atlanta has a large concentration of financial technology companies and global payment processors that are likely taking a closer look at how they encrypt their customers’ credit card data.
Mike Morris, a systems partner for the Atlanta-based accounting and advisory firm Porter Keadle Moore, said most credit card companies are using industry standard encryption methodologies.
“The credit card companies can go after [Marriott International] with fines or refuse to process cards for the company,” Morris said. “Also, insurance companies won’t cover these breaches if the companies don’t have proper risk mitigation controls in place.”
Katz said financial technology companies in Atlanta are likely waiting to find out more information about the breach.
“If there’s an investigation by the card brands and the issuing banks here for the cards that were compromised, then that’s where we could really see the development of fines and real dollars associated with this breach for Marriott,” Katz said.
Marriott International set up a dedicated call center and one year of monitoring services. Zafar said he was surprised the company was only offering monitoring services to residents of three countries: United States, United Kingdom and Canada.
“This number [of people] is a big one, that’s why the one-year monitoring service they’re offering is simply not good enough at all for a global brand,” Zafar said. “You may have certain clients who simply take their business elsewhere. You lose confidence. There are other competitors.”
Marriott International said the service being offered, WebWatcher, is not available in all countries “due to regulatory and other reasons.”
There are 57 Marriott International hotels in metro Atlanta.
Mike Litt, consumer advocate with the U.S. Public Interest Research Group, said he was concerned that the data breach had gone “unnoticed for four years.”
“Some of the 500 million customers affected appear to have had their credit or debit card numbers stolen. These consumers are at risk for existing account fraud and should consider requesting a new card,” Litt said. “Other pieces of information stolen in this breach, including dates of birth, do not appear usable for identity theft or fraud on their own. But this information could pose serious threats if coupled with more valuable personal information, such as Social Security numbers, stolen in other breaches or from phishing scams.”
Litt said all consumers should check their monthly credit card and bank statements and offered tips on preventing identity theft.