It’s on you to hold companies accountable, expert says, after hotel data breach scandal

VANCOUVER (NEWS 1130) – You may want to keep a close tab on your credit card information, especially if you’ve travelled.

Up to 500 million people who stayed at hotels belonging to Marriott International may have sensitive personal information compromised.

The company says it’s discovered unauthorized access within its Starwood network has been taking place for years — since 2014.

The theft includes passport and credit card numbers, and even birthdays.

It could be the second largest data breach in recent history, and one cyber security expert says it’s just another example of how we’re caught in a cycle.

“With more and more large-scale organizations, especially the scale of variant, this is becoming a daily norm and is serving as an example that as consumers, we need to start holding these organizations more accountable,” says Cyber.sc Chief Security Strategist Dominic Vogel.

He says it’s time for people to develop a taste for only the finest in data security. So what does accountability look like? Vogel says for one, it’s time to move away from these types of organizations and not using them for the services they provide.

“Right now, statistics show that very few consumers stopped going to or stopped using a certain company or organization after a breach,” he tells NEWS 1130. “I think consumers need to start voting with their mind, so to speak, and choosing alternatives and going to other competitors or other organizations that haven’t experienced such a data breach yet.”

That may be fine in the aftermath of a breach. However, when it comes to protecting your personal information before one happens, Vogel says there are a few things consumers can do.

“Another opportunity for consumers is to start asking more questions when they’re giving out maybe their credit card information or their personal information,” he explains. “You should feel comfortable asking an organization or business to ask them for that information.”

That can including asking why an organization needs the information, and what they’re doing to protect it.

“It’s fair ground now to be asking such questions,” he adds.

Marriott says the Starwood brands impacted may include the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Starwood’s branded timeshare properties are also included.

Related video: Marriott data breach may affect 500-million guests

Marriott has set up a website and dedicated phone line to help customers who have been or believe they have been affected by this latest breach, which is still dwarfed by the breach that impacted an estimated 3 billion people reported by internet and email company Yahoo in 2016.

Vogel says going forward, the focus shouldn’t be on stopping hackers from getting hold of personal information, but rather should be on the organizations and businesses “who are doing a less than stellar job when it comes to protecting the information.”

“A lot of emphasis is on worrying about the hackers and what they’re stealing, but the truth of the matter is that most data breaches can be tied back to very poor or improper security configurations by these organizations. Ultimately it’s a failure of these organizations and not the success of hackers.”

According to Marriott, it received an alert from an internal security tool about an attempt to access the Starwood guest reservation database back on Sept. 8, 2018.

Following the flag, Marriott says it quickly engaged security experts to figure out what happened. An investigation determined there had been unauthorized access tot he network dating back four years.

“Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it,” the company says. “On November 19, 2018, Marriott was able to decrypt the information and determined that it was from the Starwood guest reservation database.”

The public was only made aware of this investigation and breach on Nov. 30, 2018.

Meantime, New York Attorney General Barbara Underwood says an investigation into the data breach has been launched.

On Twitter, Underwood says New Yorkers have a right to know their personal information will be protected.

She’s also taking this opportunity to highlight the need for bringing that state’s data security laws “into the 21st century.” A proposed bill, Underwood explains, would put in place stronger protections for consumers, as well as expand reporting requirements when breaches like this occur.