On July 6, Marriott, the multinational hotel franchise, announced a second staggering data breach since just the beginning of this year. This incident can be traced back to June, when a Marriott employee fell victim to a social engineering scheme posed by an unnamed group of hackers. With this misstep, the group quickly gained access to the employee’s computer, opening the gates for them to steal roughly 20 GB of personal data––some of which included credit card information, confidential business documents, and customer payment information.
If two massive data breaches in 6 months alone don’t illuminate some serious lapses in security infrastructure on a company-wide scale, Marriott’s weathered history of breaches sure does. In early February 2020, Marriott hotels endured a reputation-damaging breach that exposed the personal information of approximately 5.2 million guests. Just two years prior, an even more harrowing incident occurred in which the personal information of 339 million guests may have been compromised. Despite the devastating fallout of both of these breaches––including a $21.8m fine imposed by the U.K.’s Information Commissioner’s Office (ICO) following the 2018 attacks––Marriott acknowledged that its security measures had been improved but still left millions of customers vulnerable without implementing the appropriate safeguards.
Marriott is not alone and should not be singled out.
While the scale of these cyberattacks certainly varies, this narrative is one that we’ve heard many times before: corporations are tapped for access to sensitive information, compromising their operations, reputation, and in some cases, longevity. Hackers capitalize on this stolen information, impersonating individuals, breaching accounts, and selling this personally identifiable information (PII) on the Dark World Web to underpin a $16.1 trillion economy. Endless amounts of information exists there––from personal to financial to online account login data––and the Dark Web is the perfect environment to transact this information.
In referencing the PrivacyAffair’s Dark Web Price Index, leaked information collected from various data breaches can be found for sale at bargain prices. For example, a duplicated credit card may be available for just $20; a PayPal account could cost $150 depending on the available credit; and a Gmail account, just $65. On the Dark Web, hackers have the ability to piece together bits of data scavenged from different breaches in order to craft mature profiles. From here, these cybercriminals have an easier time taking over even more personal accounts.
On the Surface Web, or the accessible World Wide Web, users and/or vulnerable security infrastructures grant access to accounts using this personal information, allowing cybercriminals unfettered access to corporate networks,, bank accounts, implanting ransomware and so much more. Over the past decade, the number of data breaches per year has dramatically risen from a mere 662 in 2010 to over 1,000 by 2021––and these data breaches are only becoming more and more dangerous.
The fact is, so long as the data has value and utility, the breaches will continue. Cybercrime is a big business: in 2021 alone, identity fraud losses tallied a total of $56 billion, and the cost of all cybercrime is predicted to hit $10.5 trillion by 2025.
As terrifying as these numbers are, it’s beneficial to note the root cause of the situation:
- Data is generally stored in central honeypots and hackers are patient. As the Marriott breach demonstrates, it takes one human mistake in the loop to create a big problem. Besides being patient, hackers are persistent too. They have a variety of techniques to get their hands on the data. And there is actually very little guidance on best practices on how to prevent data breaches – data protection laws specify fines and call out concepts like “data minimization” but the fact is enterprises such as banks, healthcare institutions and government agencies need personal data in order to properly manage their dealings with consumers and the general public, and except in very extreme cases, it is not feasible to introduce significant friction into security protocols.
- Passwords continue to rein. Despite the best of intentions, as this article shows, most people do not “walk the talk”. And while there is a lot of excitement around the new Passkeys, there are also many drawbacks which likely need to be rectified before enterprises jump in with both feet and adopt. Until then, and as long as there is a back door for hackers to use stolen data to impersonate people and reset accounts, which is the case for most passwordless authentication solutions today, the problem will perpetuate.
The Emergence of PII Data Vaults
To end the cycle, address these two root causes. Doing one without the other is not enough.
Personal data must be secured in such a way that even insiders do not have access to central repositories. New types of data vaults are emerging to address the weak links in maintaining and securing personal data. They generally utilize encryption, tokenization, masking, and other privacy-preserving technologies, combined with privileged access management and data governance tools. But oftentimes the data is still centralized, there is still a reliance on tokens that need to be managed and access is still via weak authenticators.
So, the idea is correct – we should separate out personal data from other repositories, but we should be careful that we are not in the process, creating an even easier, focused target for attackers having that data in a single dedicated environment. The answer lies in next generation decentralization technologies that can handle all different data types and make sure that the data access is protected with user biometrics.
The number of data breaches tells us the amount of personal data that is out there for grabs. Think about images, demographic, biographic, financial, healthcare and many other personal data types that need to be protected. If we can ensure that they are out of reach of attackers and we lessen our dependencies on weak authenticators, it is possible to get out of the dangerous cycle we find ourselves in.
This will require serious intervention from cybersecurity professionals and commitment from government agencies, corporations and non-profits alike (all have been breached) to treat personal data with a sense of corporate responsibility like they do the environment. Regulatory compliance is not enough.
Decentralization technologies and strong authentication mechanisms are available. There is no excuse for anyone not to act.