• by Ray Schultz , Columnist, December 2, 2018

Despite the massive data breach affecting 500 million guests -- one of the biggest such ruptures ever -- Marriott customer data has not turned up on the dark web, Jason Hill, head researcher at CyberInt., reports, according to Financial Times.

That may be the only good news Marriott is about to get. The hotel chain announced the breach early Friday morning, and within hours it was facing a major corporate crisis. 

For one thing, its stock price slid 6% on Friday to $115. It could have been worse, but then there was the predictable filing of two class action lawsuits — at last count.

In one, reportedly filed in a Maryland federal court, two attorneys — Ed Claffy of Chicago and Stewart Bell of Charleston, West Virginia — sued as aggrieved customers, using the law firm of Murphy, Falcon & Murphy.

“Marriott’s failure to employ reasonable and appropriate measures to protect against unauthorized access to confidential consumer data constitutes an unfair act or practice prohibited by Section 5 of the FTC Act,” the complaint says. 

In addition, the Blast reports that a $12.5 billion suit was filed by Ben Meiselas of Geragos & Geragos, and local counsel Michael Fuller of Underdog Law. 

“For the past four years, 500 million customers expecting a comfortable worry-free stay at Marriott were instead exposed to one of the largest digital infestations in history,” the complaint states, the Blast continues. 

Perhaps even more seriously, the FBI reportedly is probing the breach, as are the attorney generals of four states: New York, Illinois, Connecticut and Maryland.

And, as MediaPost has reported, Senator Ed Markey (D-Massachusetts) has called for “comprehensive consumer privacy and data security legislation that requires companies to adhere to strong data security standards, directs them to only collect the data they actually need to service their customer, and creates penalties for companies that fail to meet them.”  

Still unknown is whether Marriott will face sanctions under the GDPR. Surely, the Marriott database contains data on EU citizens — and fines from that could dwarf anything that will be meted out in the U.S.

Without assessing blame, one has to wonder: how can such large corporations find themselves in this situation? Are their security systems mere playtoys?

“We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties,” writes Krebs on Security. “But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.”

"Marriott is one of the largest hotel chains in the world,” states Hassan Murphy, managing partner at Murphy, Falcon & Murphy, and a member of the plaintiffs’ steering committee in the breach litigation case against Equifax. “That such a corporation would fail to properly safeguard the highly personal and sensitive information of its guests and customers is inexplicable.” 

Murphy adds: “Even more egregious is the fact that Marriott did not discover this breach for nearly four years, and then for months after that discovery failed to tell its customers what had occurred. This conduct constitutes a significant breach of trust and confidence unparalleled in the hospitality industry." 

Bringing this closer to home, such disasters could have a dampening effect on email response.

For example, some people will no longer open an email bill from anyone — they will simply call the company, using the number they have had for years, and pay that way, or send a check to the known address, according to anecdotal evidence.

To recap, Marriott determined on November 19 that the breach, exposing data on reservations made on or before September 10 of this year, had occurred. The data on 327 million guests includes such details as name, email address, mailing address, phone number, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences, Marriott says.

The chain was alerted on September 8 that an attempt had been made to access the Starwood database in the U.S. Security experts determined that unauthorized access to the Starwood network had existed since 2014. In addition, the firm discovered that an unauthorized party had copied and encrypted data from the database.

The affected brands include W Hotels, St. Regis Sheraton Hotels & Resorts, Four Points by Sheraton, Westin Hotels & Resorts, Element Hotels and Aloft Hotels.

"We deeply regret this incident happened," states Arne Sorenson, president and chief executive officer. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

But, to put in perspective, JP Morgan analyst J.P. Greff told Barron that while the timing is unfortunate, “our general view is that any damage done to Marriott’s brand longer-term will likely be minimal, if at all, as the breach isn’t as dire as last year’s Equifax breach, and the company took quick action, and consumers are growing somewhat numb to these events.”