The hack of hotel company Marriott International could be the best thing for your cybersecurity strategy.
For Marriott, of course, it’s something of a PR and cybersecurity disaster. On Friday the company said the database of its Starwood properties had been hacked since 2014 and only discovered this past September.
Marriott admits the hackers stole personal information from as many as 500 million of the hotel company’s customers. Stolen data is said to include information on customers’ passports, credit cards and travel plans.
Not good for Marriott. But for tech providers, this massive hack offers 3 valuable lessons for protecting your customers’ data:
Lesson 1: Don’t ignore seemingly small hacks. They could be the tip of a dangerous iceberg.
Marriott bought Starwood Hotels & Resorts in late 2015, and just 4 days later, Starwood reported a small data breach. It seems hackers had installed malware on PoS terminals in some of Starwood’s restaurants and gift shops. The thieves wanted to steal credit-card information at the point of sale.
Marriott now insists the PoS hack is unrelated to the new breach. But some security experts say a more thorough investigation at Starwood might have stopped the latest hackers. “They should have been able to isolate hackers back in 2015,” one security expert, Andrei Barysevich of Recorded Future Inc., told the Wall Street Journal.
Your tech-provider takeaway? Treat every breach seriously. Assume any small breach is also an exploratory hack, looking for your vulnerabilities.
Lesson 2: If and when your systems are breached, notify customers quickly and clearly.
Marriott says it has begun notifying customers of the massive data breach. But the process will take weeks, meaning some customers who had their data stolen may not know about it until year’s end.
That may be understandable, given Marriott’s need to send messages to half a billion customers. But it’s safe to guess your customer list is far, far shorter. And that means you can, and should, move far quicker.
Your takeaway: If and when your data or systems are breached, reach out to your customers immediately. At the very least, send everyone an email. For some of your biggest, most important customers, you may want to make a personal phone call, even a personal face-to-face visit.
Either way, explain clearly and concisely what happened, what data is at risk, what you’re doing about it, and how quickly you think the matter will be resolved.
Lesson 3: Start getting ready for a possible U.S. data-privacy law similar to Europe’s GDPR.
Several U.S. Democratic senators are so angry about the Marriott breach, they’re calling for tougher federal data-privacy laws.
They include Richard Blumenthal of Connecticut, Mark Warner of Virginia, Ed Markey of Massachusetts, and Ron Wyden of Oregon, according to the Washington Post. Sen. Wyden even suggested that company execs who fail to protect their customers’ data should face jail time.
Putting wind in their sail is Europe’s General Data Protection Regulation, which went into effect this past May.
GDPR sets stringent rules for protecting the personal data of European Union citizens. It also sets high penalties for noncompliance — for each violation, a maximum fine of either €20 million (approximately $22.6 million) or 4% of a company’s annual revenue, whichever is higher.
Some senior tech-industry executives have recently called for a U.S. federal data-privacy law, too. They include the CEO of Salesforce.com, Marc Benioff, and Apple CEO Tim Cook.
The takeway here is mainly a shift in your attitude. Don’t be surprised if the U.S. ends up with a GDPR-like law. Track this carefully, and start looking critically at your own security practices. Could you comply with a GDPR-like law if you had to?
Learn these 3 lessons from the massive Marriott breach. The hotel company's troubles could help you keep your customers' data safe, private and secure.