Here we go again...
500 million records of personal data from Marriott-owned Starwood hotel guests has been stolen – credit cards, birthdates, phone numbers, passport information - a virtual treasure trove that makes this breach, after Yahoo’s 2013 break-in, the largest theft of personal information to date. Adding insult to injury, investigators have determined that the theft began in 2014 and remained undetected for four years. And it was the second major security breach to befall Starwood; in 2015 its cash register systems were penetrated.
Several lawsuits have already been filed. The company’s stock price was down 5% the day of the announcement, and this breach will probably trigger the first major GDPR case since the European rule went into effort this year. Under the new law, Marriott could be subject to a fine of up to 4% of global revenue for failing to protect personally identifiable information.
Four years. Are there any lessons here?
We recently wrote of the necessity of routinely auditing your cyber security protocols. One would hope that this basic step, properly executed, would have mitigated the damage to Marriott’s guests. Of course, it is easy to point fingers. The bigger question, and the bottom line, is what is the responsibility of the Board of Directors with respect to ensuring integrity of the company’s records and the confidence of its customers?
It begins with education and commitment to action. Although 97% of CEOs of major corporations consider cybersecurity a top priority less than half believe they are adequately prepared. Boards should demand clarity from their top officials:
An often-heard definition of "insanity" is to do the same thing over and over and expect a different result. The cyber threat alarm bell has been rung repeatedly at enormous cost to both individuals and companies. Is anyone listening? Or has it been rung so loudly everyone is now deaf? Whatever the reason, reputations continue to shred (think Equifax, or Facebook), valuations plummet (think Yahoo) and real people are hurt.
Until Boards hold management accountable the relentless cyberattacks on corporations and their customers – the very people who trust them – will continue unabated. Unfortunately, four years of negligence is not the exception. As in medicine, you often have to be looking for the disease in order to find it. Cybersecurity is no different. A full body scan of the business might just do wonders...
For further reading on this topic: