Play Live Radio
Next Up:
Available On Air Stations

After Starwood Data Breach, Marriott And Customers Face Costly Headaches


The question-and-answer website Quora is the latest company to report a data breach. The site says hackers may have accessed the data of 100 million users. When companies reveal massive data breaches like this, as Marriott did with its Starwood properties last week, it's hard to pinpoint who stole what and how that data was used. Because of that, companies and their customers face a whole lot of expensive headaches. Here's NPR's Yuki Noguchi.

YUKI NOGUCHI, BYLINE: After a data breach, companies undertake massive cleanup efforts to try to patch up its security and alert customers. Cybersecurity experts call this remediation. Avivah Litan, a cybersecurity analyst with Gartner, says such costs vary.

AVIVAH LITAN: It can range from $10-$150 a record stolen, depending on how many millions of records were stolen.

NOGUCHI: At half a billion affected guests, Marriott's breach is one of the largest in recent history. It's also likely to face tens of millions of euros in penalties from new EU privacy laws that took effect this year. Apart from that, Litan says Marriott will have to pay for expensive upgrades to its security and additional fees and fines to credit card companies. But how effective are these efforts? Many experts say not very. Nick Marinos is director of cybersecurity and data protection at the Government Accountability Office.

NICK MARINOS: I think the remediation can be pretty darn challenging. That, at least, I think I can safely say.

NOGUCHI: Marinos wrote a recent report on the aftermath of last year's data breach at Equifax, the credit reporting company. There, hackers stole personal information of nearly 150 million people. Many had to freeze their credit. The cost to Equifax has topped $400 million to date, and this doesn't even include extensive legal costs or fines. Marinos says it's hard to trace incidents of fraud to a specific data breach in part because there have been so many over the years.

MARINOS: But one thing that we talk about often with some of these breaches is the fact that if you take a data that was stolen from one breach, combine it with a data that's out there from different breaches, you can know a lot about an individual.

NOGUCHI: And use that information to carry out fraud. This situation has companies scrambling to protect themselves. Marriott, for example, says it's trying to gauge what its cybersecurity insurance will cover. But consumer advocates complain most of the cleanup falls to individual consumers who have to cancel credit cards, change passwords or monitor their credit. Mike Litt, with consumer group U.S. PIRG, supports congressional proposals akin to the new European statute that would increase fines for data breaches.

MIKE LITT: One way to offset these costs would be to actually make the investments on the front end.

NOGUCHI: John Yanchunis agrees. He's a class action attorney who filed suit against Marriott the same day it revealed its breach.

JOHN YANCHUNIS: The data breach litigation is going to cause companies to want to avoid getting sued and avoid regulatory scrutiny. So they're going to begin to spend more money on keeping information safe.

NOGUCHI: But safety is an elusive, constantly shifting goal, even among companies that prioritize it. Sean Joyce is head of cybersecurity and privacy at PricewaterhouseCoopers. He says cybercriminals have become harder to detect and defeat.

SEAN JOYCE: They're really looking at implementing bots and complicated exploits that they're developing using, you know, machine learning.

NOGUCHI: Joyce says it's countries like North Korea that are driving the demand for hacked data. And their objective isn't necessarily to access an individual consumer's bank account. The reality, he says, is that breaches are inevitable. He offers companies this advice.

JOYCE: Fight like heck to protect yourself. Right? But what I'm saying is, be prepared, and then have that ability to basically respond and recover quickly.

NOGUCHI: Yuki Noguchi, NPR News, Washington.

[POST-BROADCAST CORRECTION: In this story, we incorrectly paraphrase Sean Joyce of PricewaterhouseCoopers as saying that breaches are inevitable. In fact, Joyce believes some breaches are almost inevitable, especially when nation-states (like North Korea) are driving demand.] Transcript provided by NPR, Copyright NPR.

Corrected: December 5, 2018 at 11:00 PM CST
In this story, we incorrectly paraphrase Sean Joyce of PricewaterhouseCoopers as saying that breaches are inevitable. In fact, Joyce believes some breaches are almost inevitable, especially when nation-states (like North Korea) are driving demand.
Yuki Noguchi is a correspondent on the Science Desk based out of NPR's headquarters in Washington, D.C. She started covering consumer health in the midst of the pandemic, reporting on everything from vaccination and racial inequities in access to health, to cancer care, obesity and mental health.