Encrypting sensitive information

By | Category: Travel rumblings

One hotel at which I have stayed – The Sheraton Dunes

Readers will remember that we mentioned the data breach at the Marriott Hotels group which, at the time, seemed to involve over 500 million people worldwide.

The breach only happened in the Starwood Hotels section of the group – the part that operates under the brands W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Those having stayed in Marriott branded hotels are unaffected

Now that the group has undertaken some forensic archaeology on its files it has found that the number of names affected is only 383 million!

More worryingly is the fact that 5.25 million passports were unencrypted, in an approximate total of 20.3 million names. Those are probably the names of overseas visitors to the hotels rather than domestic guests.

And that is what makes me worried. Given how useful and valuable passport numbers are why shouldn’t every single one of those 20.3 million be encrypted? You might like to think that those that were not encrypted were on older files and that it is now company policy to encrypt them. That shouldn’t be the case because security experts for decades have been talking about how all sensitive data should be encrypted.

But is the problem totally due to Marriott?

It was in November 2015 that it acquired Starwood Hotels Group. Almost three years later, that hack was made public. Were the old Starwood staff negligent in not encrypting personal information? Did this not show up when Marriott did its due diligence or did it only undertake a financial due diligence?

It raises a wider issue. Should auditors when preparing annual accounts insist on checking the encryption of personal data since a breach could have a significant financial impact on a company? Should company law be altered so that it became an offence for the directors and officers if data is not encrypted?

In future I should like to know that places at which I stay will be as data secure as they can be and that checks are in place to confirm that this is so.

Tags: , , , ,