Jesse Varsalone is an associate professor of computer networks and cybersecurity at University of Maryland University College.
Marriott’s admission on Nov. 30 that its Starwood reservation system had been breached by hackers highlighted, perhaps more than any other incident before it, the immediate need to treat the protection of personal data stored on servers as a top national-security priority.
The Marriott theft, affecting a staggering 500 million guests of the hotel chain over a four-year period, differed not just in scope from other high-profile corporate hacks — such as the breach from late 2013 that stole credit card, debit card or contact information for more than 100 million Target customers. The Marriott intrusion also involved more than the information used in payment transactions. Yes, credit card numbers were stolen — which is usual with this sort of crime — but if the credit card information was simply being sold, it is unlikely that tracing the theft to a Starwood compromise would have taken four years. Breaching a hotel reservation system would also net passport numbers, birth dates, cellphone numbers, hotel arrival and departure dates — a mountain of personal information that is less useful to common cybercriminals than it might be to a nation-state interested in monitoring certain individuals it deems “of interest.”
No, this is not about tracking a family’s annual vacation to Orlando. Instead, it is more likely to involve watching individuals who have key roles in either government or business. For any individual, group or nation-state focused on, say, the foreign ties of adversarial countries or political operatives, information about who checked in to a given hotel, in a given country, on a given day could be invaluable. That information would have been obtained in the Marriott hack. (The company bought Starwood in 2016, and the affected hotels included Four Points, Sheraton, W Hotels and Westin; Marriott-branded hotels were not involved.)
Consider the payoff for such a hack. Adversaries of the United States would be able to see who is staying at a Marriott property when, for instance, the U.S. president is in town. They would then be able to determine whether anyone from that list checks in to a Marriott property at the next city on the president’s itinerary. A roster of people with travel schedules congruent to the president’s would certainly be of interest. Once a person of interest is discovered, one could start to look at others who have similar hotel records and then extrapolate co-workers, associates and anyone who travels in the same circles.
The information related to hotel visits by individuals traveling around the world isn’t classified material, but it could be invaluable to a government or agency, and used for any number of nefarious purposes — such as blackmail or advancing a political or intelligence agenda. Still, the Marriott data breach may yet turn out to be a garden-variety raid by hackers interested in little more than selling credit card information. But it has exposed, once again, the shortcomings of businesses and corporations around the world when it comes to protecting critical information and understanding how a breach can affect both reputations and profits.
Addressing cybersecurity deficiencies starts at the top. According to a 2018 Raytheon/Ponemon Institute survey of more than 1,100 senior information-technology practitioners from the United States, Europe, the Middle East and North Africa, only 36 percent of respondents said their senior leadership sees cybersecurity as a strategic priority. Until executives start taking data privacy more seriously and appreciating the security and business implications of hijacked personal data, little improvement can be expected.
Governments seem increasingly inclined to mandate that companies take more responsibility for data security. Progress on this front includes the European Union’s General Data Protection Regulation, a positive step toward data privacy for E.U. citizens and an example of regulation that focuses on individuals’ security. In the United States, the president’s National Security Telecommunications Advisory Committee voted in November to advance its plan for a “ moonshot” that would approach cybersecurity — for the federal government and for U.S. businesses and citizens — with the sort of urgency and resources devoted to the space program during the 1960s.
The committee’s report predicted that over the next 10 years, the United States would experience “more severe and physically destructive cyber attacks” than any seen to date, posing “an existential threat to the American people’s fundamental way of life.”
Ultimately, corporations such as Marriott can’t go it alone. The collective resources of industry, government, academia and citizens working in concert will be required to successfully combat a cyberthreat realm that continues to grow in both size and sophistication.