Tony Pepper, CEO of Egress Software Technologies comments:
“Marriott has admitted that a data breach incident within its Starwood guest reservation database may have led to the personal information of up to 500 million guests who made a reservation, being compromised.
This data breach clearly enters and surpasses the ‘mega breach’ parameter. Using figures from Ponemon Institute’s ‘Cost of a Data Breach’ study, these types of breaches are projected to cost companies between $40 million and $350 million respectively. Marriott has revealed that its ongoing investigation showed that an unauthorised party had first copied encrypted information in 2014, and that it had taken steps towards removing this data.
Aside from the scale of the breach, what is equally alarming is the period of time taken for Marriott to identify the vulnerability and to report the incident to the appropriate authorities. Given the sensitive nature of the data that has been compromised, it will be extremely difficult to gauge the true impact on their customers.
With organisations under increasing pressure to maintain compliance with data protection and retention legislation such as GDPR, as well as preserve business continuity, they have a responsibility to ensure that the information they share and store, is appropriately protected. To achieve this, businesses must first understand the sensitivity of the data they manage and then apply a combination of encryption, rights management and policy-based access control. If such an approach had been taken in this case, it is likely that the breach could have been identified far more quickly and the risk mitigated.
Not only does this incident raise concerns for Marriott, but it also serves as a reminder to all organisations that they must constantly be working to enhance their data security systems and protocols to avoid similar breaches on this scale. We now await with interest the full response from the ICO.”