Data protection can’t be optional – we deserve better
·
Thursday, April 2nd, 2020 
Here we go again!
Late Tuesday, March 31st – lest we mistake this for an April Fools’ Day joke – it was reported that Marriott International had been the victim of yet another data breach.
This is the hotelier’s second major breach in 18 months.
I was interested to learn how this could have happened again, so I went straight to the source and read the company’s media release regarding the situation.
Let’s walk through some relevant passages.
At the end of February 2020, the company identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.
I’m curious as to the use of the word ‘may’.
It’s possible that the Marriott’s PR department preferred to use that language as a way to soften the impact of this breach to customers, but it’s just as likely that the company actually doesn’t know whether or not information was accessed in the first place.
Is Marriott just pretending not to know if data was leaked, or do they actually not know?
Which one of these possibilities fills you with more confidence?
We all deserve better.
In 2020, companies are responsible to know the where, what and why of every piece of data in their possession.
Talking about data breaches
So Marriott believes this activity started in mid-January 2020.
Here we have a bit more PR-speak with the word ‘believes’.
This again is likely meant as a softening word in which Marriott is trying to throw doubt on the timeline of events. Maybe it started in mid-January, maybe late January. Who’s to say?
Furthermore, if Marriott’s belief is correct, they’re admitting that it took nearly six weeks for them to notice this?
We deserve better.
Customers deserve to know exactly when breaches occur and when security holes are plugged.
…the company believes that the following information:
- name
- mailing address
- email address
- phone number
- account number and points balance
- company
- gender
- birth day and month
- linked airline loyalty programs and numbers
may have been involved for up to approximately 5.2 million guests.
There’s that word, ‘may’, again. With an ‘approximately’ thrown in for good measure.
We deserve better.
Even if we set aside the fact that privacy regulations, like GDPR and CCPA, require corporations such as Marriott to keep close track of every single piece of data collected from the public, including those listed above, does it not behoove a company in the hotel industry to have better safeguards in place even in the absence of these regulations?
Lastly, there’s this line from the announcement of the company’s November 2018 breach.
We are supporting the efforts of law enforcement and working with leading security experts to improve.
We all deserve better data protection
On the face of it, you can argue that a breach of approximately 5.2 million guests’ personal data is an improvement over a breach of 327 million guests’ personal data, but it’s hardly the improvement the public expects.
We deserve better.
We deserve to do business with corporations that treat our data with the same regard we do.
We deserve to work with companies that know – not only if data has been compromised – but also be aware of when it was compromised, how much was compromised, as well as the specifics of the data involved.
We deserve to work with organizations that don’t need six weeks to discover whether something may have happened and another eight to announce it.
If I sound frustrated, it’s because I am painfully aware at how not-difficult this needs to be.
Tools exist that are specifically designed to provide real-time analytics that could have stopped this leak in minutes, instead of weeks. There is a rich ecosystem of security tools available to any company that is serious about maintaining customer trust.
That’s why at Titus we began the #CommitToProtect challenge, in which key team members explain how we’re committed to protecting the sensitive data under our control.
Now we’re expanding this challenge to all Chief Information Security Officers, Chief Technology Officers and other IT professionals.
We’re eager to hear how you are pledging to safeguard your company’s most valuable data.
After all, now more than ever, data protection is everyone’s business, and companies that don’t #CommitToProtect don’t deserve us as customers.
