Marriott International, which acquired Starwood in 2016 for $13 billion dollars, disclosed late Thursday night that unknown attackers had accessed and copied the records of roughly 500 million customers that stayed at Starwood properties from 2014 until September of 2018. (Guests who stayed at Marriott properties are unaffected, as Starwood and Marriott properties used different databases for guest information.) If confirmed, the hack would be the second largest of its kind in history, behind only the Yahoo data breach that exposed the data of 3 billion accounts.
For some customers, the attackers only swiped names and mailing addresses, but for 327 million guests, Marriott believes attackers accessed passport numbers, dates of birth, gender, and a number of other of details about the customers’ stays at Starwood properties.
Furthermore, hackers may have potentially gained access to an unknown number of credit cards used at Starwood properties. The credit card info was heavily encrypted, but Marriott hasn’t been able to rule out that the hackers may also possess the keys to decrypting that credit card information.
For American consumers affected by the Marriott data breach, there’s little reason to expect a happy ending. Marriott stock is down about 5 percent in early trading today, and will no doubt face class action lawsuits, but the case of the Equifax hack should be instructive here. The Equifax data breach revealed the Social Security numbers, driver’s license numbers, dates of birth, phone numbers, and email addresses of 148 million Americans. Even more galling, Equifax waited six weeks after discovering the breach to disclose it to the public.
Equifax faced a class action lawsuit (as well some individuals suing the company in small claims court), until the Senate, in a 50–50 vote with Vice President Mike Pence breaking the tie, decided to repeal a federal rule that allowed for consumers to sue financial institutions as a class, instead allowing Equifax to deal with all those affected in forced arbitration, which tends to be much more favorable to companies than to consumers. While Equifax’s stock price dipped initially after the news broke, it has since recovered. Equifax continues to to win large government contracts, such as a $7 million deal to protect the IRS from fraud. It may eventually face fines from federal regulators, though it so far is has managed to avoid state fines by simply agreeing to try to do better in the future.
As is becoming increasingly common when it comes to data security, the only bright spot for consumers is the EU. Under GDPR, companies that fail to maintain data privacy can be levied fines of up to 4 percent of their annual revenue. Marriott International brought in $22.9 billion in revenue in 2017. Four percent of that would be $892 million, a hefty amount. Still, even if that fine was levied, that works out to only about $1.78 for every customer affected by this breach.
The number and severity of data breaches is increasing, and that increase shows little sign of slowing down. The potential liability for companies, even factoring in a more pro-consumer EU, isn’t keeping pace. Your data is valuable to companies; keeping it safe, seen in the stark light of a risk–benefit analysis, isn’t.