Last week Starwood resorts, a recently acquired subsidiary of Marriott, reported that the information for approximately 350M customers was breached.
Unfortunately, that's not even the most troubling fact surrounding this incident. Breaches happen. It's a fact of modern life. What shouldn't have happened was that the breach appears to have been open since 2014. Four years when Starwood didn't know someone was ransacking their house. That is unacceptable.
The second troubling element of this situation is from the notification to their customers. "...There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken...". No matter how underfunded or undermanned a security group, no matter how much of a workload they carry, there can never be an excuse for storing sensitive data unencrypted or for storing it alongside the means to decrypt it. This is a failure of every security lesson learned for the past 20 years.
How did this happen? I can only speculate that it was because no one knew that this state of affairs existed. The systems are most likely a hodge-podge of technologies that have morphed and evolved over time; one poorly designed, implemented, and mismanaged system being glommed on to other poorly designed, implemented, and mismanaged systems over the years. In this case the data footprint is less a footprint and more like a bomb crater. The footpring has grown out of control to the point where no one person or team can understand what data exists where and in what state.
Marriott says they don't believe that there will be any financial repercussions to their business, but that does not let them off the hook to their customers, and it doesn’t mean that companies should not learn from their mistakes.
Understand your customers and the value you provide to them. Collect only what you need to provide that value. If you don't need it, don't collect it. If you collect, don't store it. If you store it, encrypt or otherwise protect it. If you encrypt it don't keep the means to decrypt it accessible to just anyone. The shift to the cloud gives companies the chance to stop being "system hoarders,” and it’s well past time for companies to stop being "data hoarders".
To learn more about what you can do to stay out of the headlines and not be the Marriott of tomorrow, contact us about our Optimize Data Footprint service and break your addiction to data hoarding today.