After Starwood Data Breach, Marriott And Customers Face Costly Headaches

Marriott begins a massive cleanup effort following the data breach affecting 500 million guests. But if past hacks are any guide, consumers will be the ones who will have to protect their data.

RACHEL MARTIN, HOST:

The question-and-answer website Quora is the latest company to report a data breach. The site says hackers may have accessed the data of 100 million users. When companies reveal massive data breaches like this, as Marriott did with its Starwood properties last week, it's hard to pinpoint who stole what and how that data was used. Because of that, companies and their customers face a whole lot of expensive headaches. Here's NPR's Yuki Noguchi.

YUKI NOGUCHI, BYLINE: After a data breach, companies undertake massive cleanup efforts to try to patch up its security and alert customers. Cybersecurity experts call this remediation. Avivah Litan, a cybersecurity analyst with Gartner, says such costs vary.

AVIVAH LITAN: It can range from $10-$150 a record stolen, depending on how many millions of records were stolen.

NOGUCHI: At half a billion affected guests, Marriott's breach is one of the largest in recent history. It's also likely to face tens of millions of euros in penalties from new EU privacy laws that took effect this year. Apart from that, Litan says Marriott will have to pay for expensive upgrades to its security and additional fees and fines to credit card companies. But how effective are these efforts? Many experts say not very. Nick Marinos is director of cybersecurity and data protection at the Government Accountability Office.

NICK MARINOS: I think the remediation can be pretty darn challenging. That, at least, I think I can safely say.

NOGUCHI: Marinos wrote a recent report on the aftermath of last year's data breach at Equifax, the credit reporting company. There, hackers stole personal information of nearly 150 million people. Many had to freeze their credit. The cost to Equifax has topped $400 million to date, and this doesn't even include extensive legal costs or fines. Marinos says it's hard to trace incidents of fraud to a specific data breach in part because there have been so many over the years.

MARINOS: But one thing that we talk about often with some of these breaches is the fact that if you take a data that was stolen from one breach, combine it with a data that's out there from different breaches, you can know a lot about an individual.

NOGUCHI: And use that information to carry out fraud. This situation has companies scrambling to protect themselves. Marriott, for example, says it's trying to gauge what its cybersecurity insurance will cover. But consumer advocates complain most of the cleanup falls to individual consumers who have to cancel credit cards, change passwords or monitor their credit. Mike Litt, with consumer group U.S. PIRG, supports congressional proposals akin to the new European statute that would increase fines for data breaches.

MIKE LITT: One way to offset these costs would be to actually make the investments on the front end.

NOGUCHI: John Yanchunis agrees. He's a class action attorney who filed suit against Marriott the same day it revealed its breach.

JOHN YANCHUNIS: The data breach litigation is going to cause companies to want to avoid getting sued and avoid regulatory scrutiny. So they're going to begin to spend more money on keeping information safe.

NOGUCHI: But safety is an elusive, constantly shifting goal, even among companies that prioritize it. Sean Joyce is head of cybersecurity and privacy at PricewaterhouseCoopers. He says cybercriminals have become harder to detect and defeat.

SEAN JOYCE: They're really looking at implementing bots and complicated exploits that they're developing using, you know, machine learning.

NOGUCHI: Joyce says it's countries like North Korea that are driving the demand for hacked data. And their objective isn't necessarily to access an individual consumer's bank account. The reality, he says, is that breaches are inevitable. He offers companies this advice.

JOYCE: Fight like heck to protect yourself. Right? But what I'm saying is, be prepared, and then have that ability to basically respond and recover quickly.

NOGUCHI: Yuki Noguchi, NPR News, Washington.

[POST-BROADCAST CORRECTION: In this story, we incorrectly paraphrase Sean Joyce of PricewaterhouseCoopers as saying that breaches are inevitable. In fact, Joyce believes some breaches are almost inevitable, especially when nation-states (like North Korea) are driving demand.]

Copyright © 2018 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.