What do you think? Leave a respectful comment.

Why companies are still failing to protect our personal data

A newly announced breach into the Marriott hotel chain’s reservation database is one of the biggest hacks in history, affecting half a billion customers in all. Amna Nawaz speaks with David Kennedy, co-founder of security firm TrustedSec, to understand what's unusual about this breach, whether companies are doing enough to safeguard data and how individuals can protect their own information.

Read the Full Transcript

  • Judy Woodruff:

    The breach into the Marriott hotel chain's database is one of the biggest hacks in history, second only to the breaches at Yahoo that affected three billion accounts.

    As Amna Nawaz reports, the hackers, still unidentified, accessed the reservations system of Marriott's Starwood hotel properties as far back as 2014.

  • Amna Nawaz:

    The breach affected personal data of half-a-billion customers in all. For more than 300 million of them, the hackers were able to get lots of information, including names, phone numbers, e-mail addresses, passport numbers, dates of birth, and arrival and departure information.

    The hack affected Starwood hotels such as the Sheraton, Westin, St. Regis and W Hotels. And it's the latest in a series of major breaches. Most significantly, the credit rating agency Equifax was hit last year with a big breach, affecting nearly 150 million people.

    In 2015, hackers were able to get at the records of nearly 80 million customers of the insurance giant Anthem. And one of the more well-known retail breaches was Target back in 2013. More than 40 million people were affected that year.

    To help us understand what is at risk in this case and others, we check in with David Kennedy, the CEO of TrustedSec, a security and consulting firm.

    David, welcome back to the "NewsHour."

    Let's start with what we know. Based on the information that was taken, how it was taken, do we have any idea who was behind this hack or how that info could be used?

  • David Kennedy:

    Currently, that information hasn't been released.

    But what's particularly interesting with this one is that the information we haven't seen on the Dark Web or being sold in any way, shape or form that we would typically see from an organized crime perspective. So it's a bit peculiar right now on who these groups were, or who the attackers were, and what their motives were for actually getting access into the infrastructure.

    So we're still trying to learn who they are, what they did, but they had access to quite a substantial amount of information, including potential loss of credit cards. The Marriott basically made a statement today stating that they couldn't determine whether or not they actually got access to the decryption keys used to get access to the credit cards themselves, which were encrypted.

    So this could mean that this could be a much larger breach in nature, even much larger than the Target breach, depending on if they did have access to the credit card data itself.

  • Amna Nawaz:

    And that passport information seems to be unique in this case. Why is that problematic?

  • David Kennedy:

    Well, the information that was taken is everything about your personal life essentially, your security questions, your home address, phone numbers, your passport information.

    All of these things can be used in order to do additional identities and things like that. The passport itself isn't easy to replicate or clone, but just having that information and being able to go to different locations — and notice that this was also the Starwood loyalties program as well that was potentially impacted by this.

    So, being able to go to hotels for free, and charging those and having passports, if you have ever traveled internationally, these are things that we see all the time, where they require you to have your passport I.D., things like that.

    So, it definitely can be used from a fraud perspective, to use that information against you. And it's things that you can't easily change, especially things like your date of birth.

  • Amna Nawaz:

    So, you know what we know now based on past attacks, really. Give me a sense of some of those past attacks we just listed there. What do we know about how that information was later used?

  • David Kennedy:

    Yes, some of these require organized crime groups that take that information to what we call the Carter Market to then sell them in different batches.

    And, usually, we see those happen very quickly, usually within a couple of weeks, or a couple of days of a specific breach. And then it usually takes a little bit longer to determine where that breach came from.

    With things like Equifax, for example, though, it's been rumored that that was nation states or hostile countries against United States using that information for large collection intelligence purposes. Not saying that that's what's happening here. We don't know at this point in time.

    But it definitely is peculiar that this information hasn't publicly been posted on these Dark Web sites for sale to make a profit off of it. So there's a lot of different motives and demographics that we have seen tradition in the past with other different breaches. It's just going to take a little time to understand exactly who this was and if we can attribute it back to a specific group or an adversary like a nation state that would be hostile to United States.

  • Amna Nawaz:

    So, David, news of these kinds of breaches is no longer unusual.

    Are companies getting any better at preventing these things from happening?

  • David Kennedy:

    When we saw the massive data breaches around credit card data in the retail space, like Home Depot, Jimmy John's, Target, there was a big joke that went through the retail sector, where they really beefed up their security, trying to protect the information and the credit card data.

    With hospitality and other industries, like the medical research — medical research, health care, government, ones that are not focusing on government secrets, they're usually behind the times when it comes to security, and they're absolutely not doing enough.

    The problem they have is that they have large amounts of information. You're talking 500 million in this case, a half-a-billion records. But most hospital — hospitality services don't necessarily consider themselves a target for hackers.

    In this case, obviously, that's what occurred. And it's going to take a lot more of these breaches in different industry verticals for these things to actually occur. So, right now, the answer is, no, they're not doing enough to protect your information out there. And most of these companies don't believe that they're a target and don't spend enough when it comes to security-related efforts.

  • Amna Nawaz:

    So, if companies aren't doing enough, for anyone out there who thinks they're either part of this breach, or just want to try to prevent this from happening to them down the line, what can individual people be doing at this point to better prevent this from happening?

  • David Kennedy:

    Well, first and foremost, we don't know the extent of this breach. But it's safe to say that passwords were probably compromised when it comes to this as well.

    So if you had a Starwood account from 2014 up until September of this year, it's important to note that to change your password, but, most importantly, if you use that password anywhere else, we see very commonly, when large data breaches like this occur — there was one with LinkedIn, a number of other ones that have occurred — attackers have tools that automatically log into all of these different sites to try those passwords you have associated with those e-mail addresses.

    So if you're using that same password somewhere else, heavily recommend changing that immediately. Additionally, credit monitoring does do a good amount of service. You can actually call the credit bureaus and lock your credit, so that things can't be taken out in advance.

    And that's a good precautionary measure, not just for this specific breach, but just in general. There's also services like LifeLock, for example, which you have a $1 million insurance policy in case somebody actually does take out and steal your identity and uses it for fraudulent activity. They will help you fix that credit, and also give you monitors for things that are occurring out there.

    And last but not least, the most — one of the most important steps that we see out there is, your financial institutions, your social media accounts, things like that have additional settings that you have that you can log into your site with, and put what's called two-factor authentication in place.

    And these are steps that allow you to give you a one-time text message to your phone that you answer when you log into your sites. And think about that. If a hacker gets access to your password, they still don't have access to your account because they don't own your phone.

    And that's one of the best steps out there today to stopping a lot of these different types of password attacks that we see happening.

  • Amna Nawaz:

    Some good advice we can all follow.

    David Kennedy of TrustedSec, thank you very much.

  • David Kennedy:

    Thank you very much.

Listen to this Segment