When Marriott International disclosed the massive data
security breach of its Starwood network on Friday,
technology and cybersecurity experts were not surprised it happened.
"We're in an era where breaches that go undetected for
four years should be a thing of the past, but they're not," said Brian
Krebs, writer of the KrebsOnSecurity blog. "And
unfortunately, it's not surprising to see this within the hotel industry. The
hospitality world has been notoriously bad at implementing security to protect their
own systems and the data of their guests."
Krebs cited the hotel industry's continued use of credit
card and debit card swiping systems, as opposed to chip-enabled readers that
encrypt payment information, as one glaring example. He also pointed out that
Marriott posted its press release announcing the breach on an unencrypted web
page.
"Even after nearly every single major hotel company has
gotten breached over the last four or five years, hotels are still doing these
very obvious things that we have solutions for," he said.
The industry's long list of recent data hacks includes
InterContinental Hotels Group's 2016 data breach of guest payment cards at
almost 1,200 properties in the U.S., as well as Hyatt's 2017 credit card
breach, its second major breach in two years.
Notably, Starwood reported a data breach affecting more than
50 properties in November 2015, shortly after being acquired by Marriott.
According to Starwood's disclosure, that security breach dated back to at least
November 2014.
Technology consultant Shelly Palmer similarly views the
hospitality industry's security systems as inadequate. "Like many
industries that are venerable and mature, hotels have legacy systems that were
not designed for the world we live in today," he said.
Palmer added, however, that while the Marriott breach "is
a big one, by any measure," the media frenzy surrounding the incident is "much
ado about nothing."
"Hacks like this are happening on an industrial scale,"
said Palmer, while emphasizing that consumers and businesses alike are largely
insured against cybercrimes by their banks and credit card companies. "It's
a victimless crime. This happens all the time, and there's nothing consumers
can do about it. This is bad PR for Marriott, and it will probably generate a
lot of questions that Marriott would rather not answer, but this is really just
a story about doing business in the 21st century."
Despite data hacks being commonplace, Palmer has several
suggestions for consumers concerned about their personal and payment
information falling into the wrong hands. He recommends purchasing cyber
insurance, which can often be added to homeowner's insurance plans, and
making sure to only connect smart devices and computers to private networks,
especially when traveling overseas.
Krebs advises consumers to regularly check their credit card
and debit card statements, while sticking to credit whenever possible.
"If you make a payment with a credit card, it's a
provisional charge," explained Krebs. "But when you get hit with
fraud on your debit card, you have to contact your bank and count on them to
put the money back, while in the meantime, hope that you don't bounce checks."
According to the Federal Trade Commission, if a consumer reports
a fraudulent ATM or debit card transaction within two business days after
learning of the theft, he or she is liable for a maximum loss of $50. If it's
been more than two business days but less than 60 calendar days, the maximum
loss jumps to $500.
"If you've been paying attention at all over the last
few years, you should have already adopted the notion that all that data about
you, including your credit card information and your social security number, is
for sale already," Krebs said. "You shouldn't wait for some company
to tell you that. If you don't have fraud on your card, it's probably just
because no one has bought your information yet."