Marriott Breach: Why The Worst May Be Yet To Come

Let’s try this a different way, if only to make a vital point with insincerity.

We must give credit to the criminals who engineered the recently disclosed data breach that could end up impacting some 500 million guests of Marriott International. These tourists, business travelers and others entrusted the Starwood hotel guest reservation database with details about their payment cards; home, work and email addresses; passport numbers and images; reward accounts and general travel habits.

Not only did the criminals behind the breach attack a juicy target (imagine the identities that could be hacked or created with all that information after it is sold to other fraudsters on the Dark Web or otherwise used), but they had apparently enjoyed unauthorized access into the hotel database since 2014. Good for them!

Well, not really. We at PYMNTS are never fans of theft or any other illegalities, especially of such potentially life-altering attacks on businesses and consumers. We don’t do the Hollywood anti-hero thing when it comes to fraud or hacking. However, according to one cold, very severe point of view, the only people who deserve a congratulations in this unfolding mess — the people who obviously did their jobs better than other parties involved — were, indeed, the criminals.

Breach Aftermath

In a new PYMNTS discussion on Monday (Dec. 3), Karen Webster and Philipp Pointner, chief product officer at online security services provider Jumio, essentially searched for ways to avoid becoming resigned about this attack (yet another big breach, the biggest breach until the next biggest one), as well as for something positive in its aftermath. It’s not easy, but there are always silver linings, right?

Here’s the challenge: Consumers are almost certainly becoming numb to these types of breaches, secure in the knowledge that banks will have their backs. Sure, there is always some early stage indignation, some earnest proclamations to avoid compromised businesses.

However, as Webster pointed out in a fresh column about the Marriott breach, on the one-year anniversary of the Equifax breach, it was reported that only 8 percent of consumers took Equifax up on its offer to freeze their credit reports. Fewer still cancelled their credit and debit cards. No doubt, most recall that crime. In case their memory is fuzzy, though, they can remember this: Hackers gained access to the credentials of almost every adult in the U.S., information that is now available for sale on the Dark Web.

That is, indeed, sobering. So, if consumers haven’t been scared straight, and no one can reasonably argue that news of the Equifax breach was swept under the rug, where does that leave us?

“It’s only the government that can make it scary for business,” Pointner said. The pressure of regulations, and the heavy fines that can come with them, are one way to bypass apparent consumer apathy and erect better fortifications — and encourage the building of those better fortifications — against data breaches.

Prevention Strategy

That’s one leg of the strategy, Pointner described to Webster, one that accounts for businesses — at least, in general — often letting down consumers when it comes to the security of the data they share online with retailers and service providers. His strategy is a response to the limits of pressure that can be brought on by card networks and issuers.

His strategy is also informed by the enormous stakes and specific reality of the Marriott breach — not only is, what he called, a “holy set” of data involved, but the guests are often business travelers tied into Marriott stays by corporate contracts, rewards and other factors. (Why did the bank robber rob the bank? That’s where the money was located.)

Pointner called for better standards on how to handle non-payment — but still extremely valuable — consumer information, like passport numbers and scans of images (which travelers must often use when staying in out-of-country hotels). In other words, businesses need to do more than merely rely on the safeguards and sense of security offered by PCI.

Besides that (and government pressure and fines), consumers can play a role. Pointner noted on Monday that the first consumer class action suits related to the Marriott breach had been filed. The prospect of such large damages could also encourage better security measures. “I think there’s an avenue there,” he said.

Pointner and Webster added that better security on the part of targeted businesses can lower the costs of breaches born by acquirers, payment service providers (PSPs) and others that are part of the larger ecosystem — a world that includes other merchants and businesses, of course.

To put it another way (and to deploy another metaphor from Mother Nature), the ripples of this, and any, attack reach numerous parties — all the merchants, processors and issuers, and even those with no involvement in the original incident.

The Appeal Of Friction

The Marriott breach could serve to boost the profile and appeal of biometric authentication, Pointner said. Specifically, he spoke about liveness detection systems, for which consumers take selfies that are used by authentication companies to make sure that the person requesting a service or transaction is the legitimate person.

When it comes to such authentication requirements, “we live in a different world than it was three years ago,” he said, measuring this by conversion rates. “Users don’t have any issue” with those requirements, in part, because they understand that they won’t have to go through such a process for every service or transaction, but usually only for onboarding.

In other words, friction can be very good if applied smartly.

“Customers appreciate friction because it makes them feel secure,” Webster said.

Pointner responded, “We’ve reached the point in time [where] it’s not more or less friction anymore, if we do it right.”

Maybe that will be one of the enduring legacies of the Marriott breach: the wider recognition that friction is, in fact, a virtue and not a vice in payments, commerce and data security. Until then, it’s a good idea to keep close eyes on accounts and sensitive information, and on business traveler programs.