Facebook, Reddit, Instagram, and Google Plus are among the popular websites that have recently acknowledged data breaches that exposed private information to people who were not authorized to have it. That list continues to grow as businesses seem incapable of implementing effective security measures to protect their customers’ data from hackers.
Two massive data breaches in recent weeks highlight the risks that ordinary consumers face when big companies fail to safeguard their customers’ private information. Breaches at Starwood Hotels and Quora remind us that corporations are not always the careful guardians of our privacy that we expect them to be.
Starwood Data Breach
Marriott announced that hackers have gained unauthorized access to the reservation database for its Starwood Hotel chain since 2014. Starwood is the world’s largest hotel chain, operating hotels under its own name as well as Westin, Sheraton, Four Points, W Hotels, and several other hotel brands.
Hackers gained access to data identifying about 500 million customers, including the guest’s name, postal address, telephone number, date of birth, gender, email address, and passport number. That kind of information facilitates identity theft and phishing schemes that attempt to defraud consumers when criminals who contact them pose as legitimate businesses.
Marriott acknowledges that hackers stole an unknown number of files containing encrypted credit card numbers and unencrypted credit card expiration dates. Marriott doesn’t seem to know whether the hackers were able to steal the data needed to decrypt the numbers.
Marriott was notified of the hack on September 8, 2018. They began an investigation of the database breach and confirmed the fact and scope of the breach by November 19, 2018. Marriott delayed making any public announcement about the breach until November 30, 2018, when it filed a statement with the Securities and Exchange Commission.
Marriott also began notifying affected customers on November 30, although its email (from “email-marriott.com”) caused many customers to worry that the notice was not legitimate, in part because typing “email-marriott.com” into a web browser does not bring up a website.
It isn’t uncommon for scammers to take advantage of a data breach by sending fake emails to trick customers into revealing private information. Marriott compounded their customers’ anxiety by sending a legitimate email that appears to be a spoof.
Apart from the risk that personally identifying information can be used to commit identity theft, the problem of spam emails is compounded every time private emails become available to spammers. If a Marriott customer’s inbox suddenly begins to fill with spam emails, it is a good bet that the hackers sold the email addresses they collected from the data breach to spammers.
A security expert at Aegis Business Technologies referred to the Marriott data breach as the worst he has ever seen. He predicts that the hackers will soon be selling the stolen information on the dark web.
Quora Data Breach
On December 3, 2018, Quora announced that a “malicious third party” gained unauthorized access to the private data of about 100 million customers. Quora appears to be uncertain about the scope of the breach, but has announced that usernames, email addresses and encrypted passwords may have been taken, as well as the questions, answers, and comments that individual Quora users have submitted to the website.
Quora has locked out website users who log in with a potentially stolen password, a precaution that will require those users to change their passwords. If their passwords were in fact stolen and can be decrypted, those users are exposed to the risk of hackers using those passwords to attempt access to other accounts.
For the sake of convenience, many individuals use the same password across multiple sites. With an email address and a password, thieves can attempt to log into hundreds of different financial and shopping websites using that email and password combination. If they succeed, they may be able to make fraudulent purchases or account withdrawals.
Legal Remedies for Data Breaches
European countries give consumers strong judicial remedies when they are affected by data breaches. In the United States, however, business lobbyists do everything they can to shield corporations from accountability when they fail to protect their customers from data theft.
Fortunately, it is often possible to sue negligent corporations when their data breaches cause a financial loss. Even if a consumer has not been victimized by a fraudulent transaction resulting from a data breach, consumers who enroll in data monitoring services to protect themselves from potential fraud may have a class action remedy against companies that exposed them to the risk of identity theft.
Different states have different privacy and data breach laws that can provide a basis for legal action. An experienced local attorney can advise consumers of remedies that might be available when consumers learn that their personal information has been stolen in a data breach.