Harvard Business Review Shares Lessons from the Massive Marriott Data Breach

A Harvard Business Review report has been released on the most recent massive data privacy breach involving a U.S.-owned firm. It discussed key points that senior managers and regulators should consider with respect to private data management and the effects of the EU’s General Data Protection (GDPR) legislation.

The breach affected Marriott Hotels and impacted about 500 million people worldwide. 8 million payment cards and 25 million passport numbers were exposed as a result of the breach. The group will possibly face a record GDPR fine if a data protection agency based in the EU applies the maximum fine of 4% of annual global revenue for the past financial year.

Here are the crucial findings mentioned in the article:

1. The disclosure of cyber risk is still not enough

Companies are still not submitting data privacy violation reports within the correct time frame and enforcement agencies are not issuing appropriate penalties. Marriott Hotels waited 12 weeks to alert the public about the breach. The group should have announced the breach to the public within three days of discovery.

2. Mergers & cost cutting affect data infrastructure


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The investigators of the Marriott data breach said the breach was of a Starwood database, and not Marriott’s. Starwood has just merged with Marriott. According to the Harvard Business Review, this demonstrates how important it is for companies to take time to make sure that the entire company is aware of the requirements of GDPR.

3. Cyber breaches will have an impact on the entire supply chain of the attacked company

It is essential to keep in mind that when cybercriminals are able to access a major database, they can potentially target every single system connected with that database. For instance, if a big company is outsourcing a payslip software program or an order system, then hackers can possibly log into that system as well.

4. There is no member of the company board who is a cybersecurity expert

Marriott was found to have 13 board members, but no one is an expert in cybersecurity. There was also no cybersecurity subcommittee formed to take care of this business concern.

Shivaram Rajgopal, Professor of Accounting and Auditing and Vice Dean of Research at Columbia Business School, and Bugra Gezer, founder CEO of Cyber Rate LLC authored the report. They recommend that regulators should get companies to emphasize cyber readiness and take care of system cyber-risk exposure by requiring company boards of directors to have representatives from the company’s cybersecurity team. Hopefully, this would improve the board’s corporate accountability and minimize the damage caused by cyber breaches to customers and the community. Companies can learn a lot from the experience of Marriott Hotels and should think about how they would handle such a big data breach.

The Harvard Business Review online report is available here.