Hacking the details – Marriot Hotels

(Last Updated On: December 17, 2018)

On Friday the news broke about the massive “data security incident” that the Marriot Hotels Starwood reservation database suffered.  A database of some 500 million records.

In September an internal security tool detected an attempt to access the database, and after an investigation it was discovered that unauthorised access to that database had been in place since 2014.

Varying amounts of data were contained within the database, but it’s not hard to work out what this data will contain.

In the industry there is a method of storing credit card information called PAN. Primary Account Number is a process for reducing the risk of fraud by truncating the information that is stored – usually limiting the storage to the last four digits of a card number and expiry date.

You can see this in action on many till receipts.

A new bit of information for me, at least, was to learn that hotels routinely keep hold of a customers full credit card details in case they attempt non-payment.

One downside of the Data Security / GDPR rules is a lack of clarity on what is considered an appropriate length of time to retain customers details.

All companies, regardless of size, have to take responsibility for the safe storage of data and in this instance (as well as others of a similar nature) there will, justifiably so, be hefty fines to contend with.

In June 2018 Dixons Carphone reported an incident to the ICO and some news outlets suggested that they might avoid a larger fine (in the region of £17 million) because they would be investigated under the old Data Protection regime which meant a maximum fine capped at £500,000.

New GDPR rules allow a maximum fine of 4% of turnover or 20 million euros, whichever is higher.

In one of the updates on incident the ICO suggested that it was early in the investigation and until the exact dates of the incident were understood no determination had been made if the punishment would be per the 1998 or 2018 version of the act.

A later update revealed that the size of the incident had been confirmed to have affected 10 million records “which is significantly higher than initially stated”.

On revenue of £10.5bn (as in 2017) this would mean a potential maximum of fine of approximately £420 million.

In it’s 17/18 annual report the ICO notes that Dixons Carphone were fined £400,000 for a separate incident that occurred in 2015.

We are, of course, talking about massive numbers here, but the security considerations are similar for all businesses just on a different scale.

Security is a serious concern, and it’s crucial to get it right.  There are many nuances that need to be considered when putting together appropriate security for a company – clearly a good monitoring system is one of significant importance.

Consumers should be protected from fraudulent purchases made on their cards but this is assuming they are aware something is even amiss.

It’s a tactic of fraudsters to not grab thousands of pounds in one hit rather to take small amounts out regularly so as not to arouse suspicion.

You’d like to think we all pay close attention to our outgoings on a regular basis.

But then four years without being aware someone has full access to your database of 500 million records when you’re a 22.894 billion (2017) turnover company what hope is there for the rest of us?!

Our Security Simplified service provides a series of security solutions for SMEs that are based around the concepts of ISO 27001 that aim to protect businesses both internally and externally.  If you have any security concerns or would like to discuss your corporate security in more detail please get in touch.