• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Business / Hyperventilating about cyber – Part I

By Norman D. Marks, CPA, CRMA | 2 Minutes Read February 25, 2019

Hyperventilating about cyber – Part I

cyber
Image: www.mytechteam.net

It’s hard to see a survey these days that doesn’t include cyber as one of the top risks faced by organizations around the world.

But should it be?

Are we hyperventilating unnecessarily? Or is the risk so severe that such a reaction is justified?

This is the first of two posts I plan on the topic. This one will talk about the effect of breaches on consumers, and then I will move on to corporations and my advice to risk and cyber professionals.

Over the last decade or so, I have traveled all over the world, sometimes on vacation but also to speak at conferences and lead training sessions.

While my preference is for the Hilton family of hotels (simply because I have more status with them), I have also stayed frequently at Marriott, Sheraton, and other properties.

So when Marriott announced a massive cyber breach in November, I wondered how it would affect me personally.

The first thing I noticed was that while this was announced as a Marriott breach in the news (such as on NBC), the report didn’t make it clear that it only related to stays at hotels like the Sheraton and the Westin. NBC references Starwood, but not everybody knows which hotels are included in the Starwood family.

So what was stolen?

A January update by Marriott provided a little clarity:

  • The breach relates to stays at Starwood properties (not Marriots) since 2014.
  • The number of guests whose records were stolen is unclear. All we know at this point is that it is less than 383 million.
  • While 25.55 million passport numbers were stolen, all but 5.25 million were encrypted and the encryption appears to be secure.
  • 6 million credit card (referred to as payment card) records were stolen, but as of September 2018 only 354,000 cards had not expired. All the data were encrypted.
  • In addition to credit card and passport information, the hackers copied names, addresses, email addresses, phone numbers, and reservation dates.

What could that mean to me?

My information might be included, but I cannot see this as something of great concern.

What could the hackers do with it?

Not much.

The FTC has a useful piece of advice, which I recommend. But I already have my credit rating monitored, alerts on each of my credit and bank accounts for unusual activity, and don’t think I need to do more.

I cannot see how my passport number can be used to cause me harm. I don’t need to get a new one.

Certainly, the breach will cost Marriott (more in the second post). Lawsuits have already been filed (including this one), even though there is little evidence of harm to guests (IMHO).

My breath is normal. How is yours?

Questions:

  1. Am I missing something? Can hackers misuse my passport number and stay information?
  2. Is this something I should be hyperventilating about?
  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Business, Information Technology, Privacy / cyber, cybersecurity, hackers, IT security

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy