The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

The Marriott lawsuit explores the conundrum of how to value stolen data

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! We won't have a newsletter Monday because of Memorial Day, so we'll see you Tuesday! Please send us tips in the meantime; you can reach us at aaron.schaffer@washpost.com and joseph.marks@washpost.com.

Below: Russia and China vetoed a U.N. Security Council resolution to punish North Korean hackers, and a new facial recognition firm could provide a field day for stalkers. 

Is personal information inherently valuable? The Marriott class-action lawsuit could help decide.

Hotel giant Marriott is facing one of the largest-ever class-action lawsuits in response to a data breach. 

How it's resolved could help answer thorny questions about how to value stolen data and how much responsibility companies should face for being compromised. 

But lawyers will have to overcome some big hurdles before reaching a settlement or going to a trial.

“It's still a sort of novel area of the law and in particular these kinds of damage theories and what to do with them and how they will work are also incredibly novel,” James Pizzirusso, a lawyer at Hausfeld who is a lead class counsel in the case, told me. “And so we are now sort of creating new law as we proceed every day.”

Millions of records

The Marriott case is significant for its scale — hackers stole more than 130 million records belonging to potentially tens of millions of people — and also for its progress in federal court, where it has been winding for years.

“Most data breaches impact a couple thousand or maybe tens of thousands [or] hundreds of thousands of people,” Pizzirusso said. “Here, nearly everyone has stayed at a Marriott hotel and was in Marriott's database, and as such, their personal information about where they stayed, when they stayed, oftentimes their credit card number, a passport number, all that information that Marriott had in its systems is now in the hands of criminals.”

The hack

Marriott announced in 2018 that it was hit in one of the largest data breaches ever. For at least four years, hackers had access to a database belonging to Starwood Hotels and Resorts, which Marriott acquired in 2016. The breach affected more than 130 million records, according to court documents.

The U.S. government has blamed China for the hack:

  • As early as 2018, U.S. government investigators tied the breach to Chinese hackers, and Secretary of State Mike Pompeo also confirmed that China was responsible.
  • In 2020, Attorney General William P. Barr listed the hack in a string of cyber intrusions that the U.S. government has blamed on China as he announced the indictment of Chinese hackers responsible for breaching Equifax.
  • China has denied that it is involved in launching cyberattacks.

Verizon, which investigated the breach for Marriott, wasn’t able to find out how hackers first got onto the network because the network changed in the years leading up to the hack’s discovery, according to a Verizon report. It found malware on nearly 500 devices, which were located across the United States and around the world. Hundreds of systems were “decommissioned,” the report said.

Valuing data

The case raises questions about how to value data that is stolen but not sold on shadowy marketplaces. 

Courts sometimes calculate a data breach’s damage by looking at the losses by victims; for example, if their identities were stolen. But that doesn’t account for cyberattacks backed by governments that may not initially cost victims anything monetarily but still force them to live in fear knowing that foreign spies may be examining their personal information.

  • In 2018, my colleagues reported that some U.S. intelligence officials believe that the data was stolen to boost Chinese data sets on U.S. and other citizens that include data from breaches of U.S. health insurance companies and the Office of Personnel Management.
  • But cybersecurity firm Mandiant couldn’t find anyone on the dark web selling data that was stolen from the breach, though some people tried to scam people by purporting to have the data, a Mandiant executive said in an expert report commissioned by Accenture and Marriott.

The lawyers representing the plaintiffs in the case are gunning for Marriott and Accenture. 

  • “We think companies really need to pay more attention to this, and when we are giving them access to our most sensitive personal information, we should hold them to the highest standards of protection of that data and that's our goal here,” Pizzirusso said. “We really want to make it more expensive for companies to drop the ball like Marriott and Accenture did here.”

Marriott declined to comment on the case. Accenture didn’t respond to a request for comment.

The companies

The two companies have appealed a federal judge’s decision this month to allow the class action to go forward. In its appeal, Marriott called U.S. District Judge Paul Grimm’s decision the “wrongful certification of one of the largest data-breach class actions ever.” Accenture called the decision “manifestly erroneous” in its own appeal.

Limits in how damage is interpreted have forced lawyers to propose outside-the-box ways of calculating victim losses. Grimm, who has wrestled with how to value data, left the door open to novel arguments about how to value stolen information in the case when he eventually certified an initial group of classes across six states.

  • He blocked the plaintiffs from using a model to calculate the data’s “market value,” which they argued decreased when hackers stole the data. But Grimm left open the possibility for them to make such an argument in the future.
  • Grimm slightly narrowed a theory that they would have paid less for their hotel rooms at Marriott — or not stayed at the hotel chain altogether — had they known that the company’s data-security practices were allegedly lax.
  • Grimm certified classes across several states, which represented an estimated 48 million records, according to his opinion.
Setting precedent

This case might help answer a key question: Does personal information have inherent value? If so, what is it?

“We haven't really gotten to a place where we've tested that value at trial,” said Amy Keller, a partner at DiCello Levitt Gutzler who is also a lead class counsel in the case. She's hoping for an opportunity to present evidence that might lead a jury to conclude there is inherent value.

A trial could be a year or more away if the case doesn’t get settled or dismissed in the meantime, Keller and Pizzirusso said. 

“I would love to take the case to a trial,” Pizzirusso said. “We think our liability evidence is very strong, and we would love to be able to tell the story to a jury of how both Marriott and Accenture really dropped the ball here and they knew it.”

The keys

China and Russia veto U.N. effort to get tough on North Korean hacking

China and Russia's U.N. representatives vetoed a Security Council measure aimed at imposing sanctions on the Lazarus Group, North Korea’s most notorious government-backed hacking gang, Reuters’s Michelle Nichols reports.

The U.S.-initiated effort had the support of all 13 other members of the body. China, Russia, the United States, the United Kingdom and France are all permanent security council members with the power to veto any resolution.

Context: The effort would have banned oil and tobacco exports of the hermit nation. It came amid a rash of bad behavior from Pyongyang including cyberattacks and a series of missile launches. 

  • The Lazarus Group has been linked to a number of highly damaging hacks including the 2014 Sony Pictures Entertainment breach, which led to the first U.S. sanctions for a cyberattack. 
  • More recently, the gang stole $600 million in cryptocurrency from the Axie Infinity video game.

U.S. Ambassador to the United Nations Linda Thomas-Greenfield warned that “it is time to stop providing tacit permission” to North Korean aggression “and to start taking action.”

China's U.N. ambassador, Zhang Jun, called the sanctions effort “not an appropriate way to address the current situation.”

Spain to expand judicial checks on spying after Pegasus scandal

The move by Prime Minister Pedro Sánchez comes after revelations that Spain’s CNI intelligence service snooped on the phones of more a dozen activists from the separatist Catalan region, Agence France-Presse reports.

The spying was conducted using commercial spyware provided by the controversial Israeli firm NSO Group, whose tools have been linked to the tracking of journalists and dissidents in numerous nations. An external actor also used NSO’s Pegasus spyware to hack into Sánchez’s phone and the phone of Spain’s defense and interior ministers, the Spanish government said. 

Context: The move marks one of the most significant governmental reforms to date as a result of reporting about widespread misuse of NSO spyware led by The Post and 16 media partners. 

The Spanish reforms were partly driven by politics. Sánchez’s minority government needs the votes of the Catalan separatist party ERC to remain in power, AFP reports.

Sánchez described the reform to parliament as focused on “ensuring maximum respect for the individual and political rights of people.”

  • Sánchez also pledged the government will adopt a new law governing classified information to replace a 1968 law passed during the dictatorship of General Francisco Franco.
  • The government fired CNI Chief Paz Esteban last month in the wake of the hacking revelations

A new facial recognition tool could be a boon to stalkers

The website PimEyes starts with one picture of a person and is capable of spitting out dozens of online images of the same person — culled from the far reaches of the Internet including news articles, wedding photography pages, review sites, blogs and online pornography, the New York Times’s Kashmir Hill reports.

That’s raising fears that the site — which anyone can use for a monthly fee — could be used by stalkers, angry exes and others for nefarious purposes. 

It’s stalkerware by design no matter what they say,” Ella Jakubowska, a policy adviser at the privacy advocacy group European Digital Rights, told the Times. 

  • PimEyes owner Giorgi Gobronidze told the Times he expects the tool to be used ethically — by people searching for their own images, to keep tabs on their online reputation, or to search for people who’ve given their consent.
  • The site, however, has no safeguards preventing users from searching for images of anyone they like.
  • In fact, PimEyes offers a service in which it will exclude particularly embarrassing photos from other people’s searches on the site — for $89.99 to $299.99 per month. One customer who paid for that service called it “essentially extortion,” the Times reports.

PimEyes’s public availability distinguishes it from the best known facial recognition site ClearView AI, which is also highly controversial but available to only law enforcement. ClearView AI also pulls its images from social media, which PimEyes does not. 

National security watch

Russian aggression must not distract from China threat, Blinken says (By John Hudson)

Government scan

Senate confirms Cyber Command deputy, new Navy cyber leader (The Record)

Cyber insecurity

Hacker steals database of hundreds of Verizon employees (Motherboard)

Ransomware attack hits New Jersey county (CNN)

Privacy patch

Tech industry groups are watering down attempts at privacy regulation, one state at a time (The Markup)

Global cyberspace

The mystery of China’s sudden warnings about U.S. hackers (WIRED)

Daybook

  • FBI Director Christopher A. Wray and CISA Executive Director Brandon Wales speak at a Boston College cybersecurity conference Wednesday.
  • The R Street Institute hosts an event on the path forward for a federal privacy law Wednesday at noon.
  • The Atlantic Council hosts an event on the upcoming election for secretary general of the International Telecommunications Union on Thursday at noon.

Secure log off

Thanks for reading. See you Monday.

Loading...