In late November, Marriott officially announced a data breach that may have compromised the personal information of anywhere between 300 and 500 million people. All guests who stayed at one of Marriot’s Starwood-branded hotels during the past four years will likely be affected, and the legal fallout for the company is just beginning.
Though reports indicate that Marriot took the appropriate steps in alerting affected individuals and announcing the hack immediately—one of the key data security protocols required in a successful GDPR or SOC 2 audit—this measure doesn’t necessarily protect a company’s threatened reputation for data security when hacks and breaches take place. Reporting a problem immediately is better than covering it up, but it doesn’t constitute an IT cure or a legal fix.
In fact, just a few days after the announcement, Marriott has already seen a dramatic drop in its stock price and class actions lawsuits against the company are already being filed.
This doesn’t forecast certain doom for Marriott, whose size, resources, and brand strength allow it to weather most crises. But the process of recovering from this crisis will be expensive and painstaking for Marriott, and ideally, a long list of lessons will be learned regarding IT security and legal protections.
Among them: 1) how the hack may have been identified earlier, a primary area of interest for investigators, 2) how vulnerabilities could have been identified and isolated following a similar, smaller incident in 2015, and 3) how to contain the spreading fallout and potential damage that continues cascading long after an initial breach of this kind. Experts warn that stolen data may be disseminated on the dark web, and tools of access can be applied to other websites (banking sites, etc) to see if they can open additional doors for data thieves. Once this sensitive information is out of Marriott’s hands, the damage may continue for some time, and so may the legal repercussions.
Our strongest warning against the strife, expense, and lost revenue that Marriott will likely face during the weeks and months ahead can be summarized in one word: prevention. While it’s vital to have the protocols in place that allow a quick response to a breach after the fact, it’s even more critical to maintain a strong infrastructure and effective IT hygiene from the start to minimize the chances of such an incident occurring in the first place. Talk to our team of experts about protecting yourself from weaknesses in your IT environment, or better yet, identifying and removing these weaknesses before they create obstacles to the growth of your business.