In the latest of several high-profile cases of database breaches that could be connected to identity theft, the timeshare unit of hotel giant Marriott International says it can’t find computer backup tapes containing personal data of more than 200,000 customers and employees.
Marriot Vacation Club International (MVCI) set out to notify those potentially affected, as required under some state laws, that their personal data may have been compromised after tapes stored at the unit’s Orlando, Florida, headquarters were discovered missing.
The tapes included a host of personal data — including Social Security numbers, as well as bank and credit card numbers.
Marriot said it was offering those affected by the data loss a chance to enroll in a credit-monitoring service without charge.
“We regret this situation has occurred and realize this may cause concern for our associates and customers,” MVCI President Stephen P. Weisz said. “We have recently mailed notifications to associates, timeshare owners and timeshare customers, and [we] are available to answer any questions they may have.”
Marriot joins several other high-profile corporations that have been forced to reveal breaches into systems holding personal data of their customers. Citigroup, Bank of America and DSW Shoe Warehouse have all revealed similar problems in recent months.
Multiple Weak Points
Often, such breaches involve computer hackers finding their way into protected databases, but information security experts have long warned that companies that focus too much on virtual security of their networks may be neglecting physical security issues, such as protection of backup storage media.
The company released few details on the missing tapes, keeping mum about when they were discovered missing or what may have become of them. It has commissioned its own investigation and said it would work with authorities where appropriate.
Marriot did not say whether any reported incidents of identity theft, or credit-card or bank-account fraud, have been tied to the missing tapes. The company said the tapes would only be useful if those who had them also had the right hardware and software to read the information they contain.
The fact that major companies — including many in the financial services industry, where trust is seen as critical — are still falling victim to database breaches underscores the difficult nature of the problem.
In June, MasterCard disclosed a security breach at a third-party that handled transactions processing duties, which exposed as many as 40 million credit-card accounts. Around the same time, Citigroup notified nearly 4 million of its customers that computer tapes containing information about their accounts had apparently been lost.
Smaller companies have found themselves in similar situations, sometimes with extortion by those who steal the data blended into the mix. Game developer White Wolf Publishing recently said hackers stole information about users of its role-playing games and threatened to post the data online if the company failed to make a cash payment.
Guidance software, which makes database-protection products, recently revealed that its databases were breached in November, potentially exposing around 4,000 credit-card numbers.
Justifying the Cost
In addition to searching for ways to protect Internet-connected networks from hacker attacks, companies are scrambling to prevent the pilfering of sensitive records by their own employees. Insider identity theft will be a major trend in 2006, Joseph Ansanelli, CEO of data security firm Vontu, recently predicted.
The Marriot breach comes just weeks after two other major occurrences: ABN AMRO Mortgage Group said a computer tape containing data on approximately 2 million customers was lost while being transported to a backup facility. Also, discounter Sam’s Club said 600 customers who used credit cards to buy gas at its stores had fallen victim to credit-card fraud.
Companies that must hold sensitive personal data should “move quickly to end their reliance on data tapes” and instead transmit data in encrypted form to off-site storage centers, advised Gartner analyst Avivah Litan. Those that must continue to use tape should ensure all data is protected with strong encryption.
“Protecting customer data is much less expensive than dealing with a security breach in which records are exposed and potentially misused,” Litan said. Additional legislation will help spur companies to justify investments in strong data protection as well.
In fact, the latest breach may help accelerate the passage of new laws pending in the U.S. Congress. Several lawmakers are pushing for a federal bill similar to one in the state of California that requires companies to notify anyone who might be affected by a security problem in a timely manner.