Hackers’ theft of personal information from 500 million Marriott hotel guests shows Congress needs to tighten federal data-security requirements, a high-ranking Democratic senator says.
The cyberattack that Marriott disclosed Friday, which involved the reservation system at Starwood, the luxury hotel chain it took over in 2016, is among the largest to date, affecting more people than the entire population of the United States. It dwarfs even the theft discovered last year at credit bureau Equifax, which sparked congressional scrutiny and the departure of then-CEO Richard Smith.
“It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans,” said Sen. Mark Warner, a Virginia Democrat who co-founded the Senate Cybersecurity Caucus and serves as vice chairman of the chamber’s Intelligence Committee.
“Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve,” he said. Members should pass laws ensuring companies don’t keep sensitive data longer than they need to and that they “account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses,” Warner said.
Marriott fell 5.6 percent to $115.03 at the close of New York trading on Friday, widening its decline so far this year to 15 percent.
And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.
— Mark Warner (@MarkWarner) November 30, 2018
The Bethesda, Md.-based hotelier said it was alerted of a cyber-intrusion into the Starwood reservation database on Sept. 8, then discovered that unauthorized access had been occurring since at least 2014.
Starwood properties include W Hotels, St. Regis, Sheraton, Westin and Le Meridien; they’re located in cities from New York to Washington, D.C. and New Orleans. Information that was accessed ranged from names to phone numbers, email addresses, passport data and encrypted credit card numbers, Marriott said.
“We deeply regret this incident happened,” said CEO Arne Sorenson. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott has set up a dedicated website and call center to answer questions about the attack, though it warned volume may be high, forcing callers to wait. The company is also sending e-mail alerts to affected customers and offering free enrollment in a data-monitoring service.
“The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted,” said Ted Rossman, a CreditCards.com industry analyst. “People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
Similar concerns fueled consumer backlash against Equifax, where attackers also stole personal identification data like birth dates and drive’s license numbers that banks use to verify the identities of borrowers.
