The massive data breach revealed by Marriott last week might hurt its customers beyond the personal information that was stolen.
On November 30, the company announced that as many as 500 million guests’ data was accessed due to a data breach of the Starwood hotel guest reservation database. Marriott has estimated that around 327 million of those affected had information compromised that included names, passport numbers, email addresses and Starwood account information. The breach could be one of the biggest in history.
But according to reports, anyone affected by the breach might have missed the email notification sent out by the hospitality giant because the email sender’s domain doesn’t look like it came from Marriott. The notification, which came from “email-marriott.com,” is registered to a third party firm, CSC, on behalf of the hospitality giant. However, recipients couldn’t be sure that the email was legitimate since the domain doesn’t load or have an identifying HTTPS certificate.
To make matters worse, the email is also easily spoofable, enabling hackers to dupe users into turning over private information through fake messages and websites. As a result, many security experts have criticized Marriott’s response to the breach, and have even sent out warnings on social media so that customers are cautious about sharing their private data.
In addition, Forbes has reported that this wasn’t Marriott's first breach. Not only did the company suffer at least one previously unreported hack, but there’s also evidence that Russian cybercriminals breached Starwood Web servers.
As a result, Marriott is now being investigated by multiple government agencies, including the New York Attorney General’s office, as well as European regulators such as the U.K. information commissioner.
And Senator Ron Wyden (D-OR) has called for American regulators to be given the power to impose heavier fines on U.S. companies that have failed to protect customer data.
“Clearly, current status quo isn’t working,” he said. “The Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information. Until companies like Marriott feel the threat of multibillion-dollar fines, and jail time for their senior executives, these companies won’t take privacy seriously.”