Marriott Hacked, Again. Will Face Few Repercussions, Again.
You know the drill. Company X over-collects user data in the hopes of monetizing it, then does a poor job securing it or giving their customers control over it. If you're lucky, Company X comes clean about its failures, whether it's a hack or just leaving customer data openly accessible on an unsecured Amazon cloud bucket. If you're not, you'll find out about the breach years later.
Company X might get a few days of bad headlines that are quickly forgotten in an era of percussive catastrophe and short attention spans. If they're extremely unlucky, they might get a wrist slap fine from an over-extended FTC or state AG. They might even have to throw a few bucks to class action lawyers, pennies of which will wind up in the pockets of the actual victims.
But the most likely outcome for Company X is a day of bad press, a half-hearted mea culpa, and providing some free (and often useless) credit reporting for a year.
This is all made possible because we've intentionally underfunded and understaffed FTC regulators in charge of privacy, refuse to pass even a baseline modern federal privacy law, and have, time and time again, prioritized wealth accumulation over the health and safety of consumers and markets alike.
Every week there's a hack, scandal, or breach that proves the point. And every week we seemingly learn nothing from the experience.
Case in point: Marriott revealed the company had been compromised for the third time in the last seven years or so. This time around, hackers managed to grab 20 gigabytes of valuable customer data, including credit card numbers and other personally identifiable information, by tricking an employee into giving them access to their computer.
As is usually the case, Marriott downplayed the width and breadth of the hack to press outlets:
Marriott International is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate's computer," Marriott spokesperson Melissa Froehlich Flood told TechCrunch in a statement. The threat actor did not gain access to Marriott's core network."
Here's the thing, though. Hackers had already breached the hotel chain in 2014, gaining access to 340 million guest records planet wide. That hack wasn't even revealed until 2018, at which point Marriott saw a $123 million fine its lawyers were able to talk down to $24 million. Another 5.2 million guests had their data breached in another 2020 attack. Lawsuits for the first, 8 year old hack are still ongoing.
Though not necessarily related, there was also that time the company blocked visitor access to all Wi-Fi signals to force users onto their $1000 per device network.
Companies like this don't really change or improve because there's no genuine incentive to change or improve. Any short-lived reputational or financial penalty is a miniscule cost in the overall revenue stream for giant corporations, so paying a penalty for issues you refuse to truly fix just becomes the cost of doing business.
A cross industry coalition of companies have lobbied Congress into fecklessness on privacy. Those same lobbyists back politicians looking to undermine regulatory oversight and overall authority (see: that time the GOP gutted even modest FCC broadband privacy rules). As the courts become increasingly corporatist right wingers, meaningful legal accountability for lax privacy becomes increasingly difficult.
Which means nothing changes in this dynamic as it relates to privacy until there's a scandal so dangerous and grotesque that Congress is forced to act. The post-Roe landscape could easily provide such an example, but even then it's not clear Congress will have the backbone to finally support even baseline accountability on the privacy and security front, or the courts won't undermine them if they did.