Marriot held to account?

Remember the Marriot breach back in 2018? Details of 500 million guests were exposed over a period of four years. I remember it because I’d been a Starwood guest during the time so after a lot of swearing I did some checks to see what card details I would have used during the period.

At the time they said that card details were encrypted. I went to look at the coverage back then and I remembered I thought these statements were strange, but encrypted so meh:

“Marriott confirmed that there are two components required to decrypt the stolen card numbers, and both those components may have also been stolen. In other words, unless confirmed otherwise it’s best to assume the card details have been decrypted.”

Well, in a class action lawsuit it turns out that the data wasn’t encrypted at all (SHA-1 for techs). The Judge ordered them to make a statement about it…so they added two sentences to a page created in 2019.

I’d call that ‘very not cool’.

Marriott admits it falsely claimed for five years it was using encryption during 2018 breach

Marriot revealed in a court case around a massive 2018 data breach that it had been using secure hash algorithm 1 and not the much more secure AES-1 encryption as it had earlier maintained.

CSO OnlineEvan Schuman

I agree with the article, surely there’s got to be ramifications? Namely anyone involved in the due diligence of the Starwood acquisition, anyone involved in the breach investigation and what ramifications for cyber-insurance payouts?

I don’t see how you can miss encryption when it’s not there, unless you’re reading it off a spec and think “Job done”. But especially not for an acquisition as you have to link the systems. Or for a breach investigation!

Ugh.