What might happen to a company that has been making false claims about its system security for more than five years after experiencing a massive data breach? Will state attorneys general, the SEC, and the FTC investigate and possibly penalize them for a significant misrepresentation to consumers and regulators?
CSO Online has a significant update concerning litigation against Marriott over the 2018 breach that affected hundreds of millions of customers:
For more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach.
In fact, it hadn’t been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption.
During the hearing of the US District Court for the District of Maryland Southern Division, Judge John Preston Bailey ordered Marriott “to correct any information on its website within seven days.”
The Correction
Read more of Evan Schuman’s report on CSO Online. Schuman notes that in response to the judge’s order, Marriott didn’t even issue a new post on its site or any notice to call attention to the correction. They merely silently edited their original website notice to add two sentences:
Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018, were protected using Advanced Encryption Standard 128 encryption (AES-128). Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).
[Note: Marriott’s original statement on their web page had been reported on DataBreaches.]
Now What?
Schuman notes out that the admission of no encryption years later raises a whole host of questions that have yet to be answered.
Did Marriott get reimbursed by their insurance carrier because they claimed the data had been encrypted?
Will the Securities and Exchange Commission have something to say about misleading investors by claiming encryption when it wasn’t used?
How is it that this wasn’t discovered and corrected in 2019 or 2020 at the latest? Why is this first coming out now?
Were there other lawsuits that were dismissed because of Marriott’s claim that data were encrypted? Were there other potential plaintiffs who did not sue because they relied upon Marriott’s claim of encryption?
Was this an innocent mistake on Marriott’s part or not?
Correction: The Marriott page does note an update on it — I missed it because I was looking at the bottom of the page and it was on top. Thanks to Evan Schuman for catching my error. A sentence commenting that there was no note of update has since been removed, although it is still a silent update on a years’ old notice — Dissent.