Marriott breach threatens the market for frictionless payments

An invisible payment becomes a lot more visible when it’s compromised, making Marriott’s data breach a threat to one of the most important innovations in retail, which should scare everyone from Uber to Amazon.

The incident involved the theft of data from 500 million guests over four years, including reservations at any Starwood property. For more than 300 million of those guests, that includes names, birth dates, personal account information and reservation and travel information. In a public statement Marriott admitted attackers may have keys to decrypt payment data. In an email, Marriott's public relations department said the incident occurred with the Starwood guest reservation database, and it is phasing out Starwood systems as part of Marriott's integration efforts and will accelerate the ongoing security enhancements to its network.

Andrew Harrer/Bloomberg

Beyond Marriott’s cleanup, a distinct threat exists to the concept of an “embedded payment,” or leaving credentials with a retailer or other company to use at some later time.

This is one of the most active growth areas in payments, and is the guts behind innovations such as Uber and Lyft's ride-sharing apps and Amazon Go's cashierless checkout.

All of these businesses are different, but they all sell the idea of an invisible checkout experience made possible by storing identity and payment credentials. The Marriott incident could erode the value of these stored credentials.

“Embedded payment is where the growth is in the market,” said Richard Crone, a payments consultant, noting Uber, Lyft, Starbucks, Dunkin Donuts, Panera, curbside pickup, scan & go, and Amazon Go all rely on the model. “It also includes retaining the card-on-file in the Marriott and Starwood apps …The more merchants embed payments into their experience the more they are at risk for this type of breach.”

There’s also plenty to worry about regarding Marriott itself — and the technology, regulatory, political and financial fallout. All of this data could be used for account takeovers, identity theft and to create synthetic accounts, a particularly tough type of fraud for most prevailing security protections to stop.

“This data certainly could have been useful in piecing together synthetic identities—we know that breached data is used in this regard,” said Julie Conroy, a research director at Aite, adding a greater concern exists for spear phishing, loyalty fraud and account takeover threats. The press release "was notably silent on whether there were any passwords compromised.”

Marriott is already under fire for the timing of its announcement, which came on Friday four years after the fact, and how the current news connects to an earlier Starwood breach, if it all.

Starwood announced a breach in 2015, days after being acquired by Marriott. That breach involved point of sale systems for restaurants and shops, which were not part of reservation or membership technology at Marriott, security writer Brian Krebs reports.

“Since this has been apparently going on since 2014, I suspect a lot of this data has already been actively used and sold in the underweb, so there’s not an immediate concern about a big monetization event per se as we had after the Target breach for example,” Conroy said. “This data has probably already been used for phishing, loyalty point fraud, and social engineering in a variety of different ways."

There’s also likely to be political fallout and IT expense, since the Marriott breach is hardly the first such incident. Breaches at major retailers and hotels have become almost routine, and hotels have long had a reputation as being vulnerable for data compromise.

“It just reinforces the fact that the bad guys have full access to all of our static data, and reinforces the need to incorporate digital and dynamic data in our risk assessment processes,” Conroy said.

Advanced dynamic authentication and ID protection are getting more attention as passwords fall out of favor and the breach threat proliferates. But upgrading security systems is an investment, likely to lead to greater expense for retail and travel brands that are already battling tighter margins. Spending on biometrics and other security technology is already on pace for double-digit growth in 2018.

“Marriott and other hotels should invest in taking information security very seriously and fortify their IT infrastructure, deploy proactive means to detect breaches early and rely on biometric authentication for employees and consumers,” said Vivek Lakshman, vice president of innovation from ThumbsignIn.

The regulatory environment has also changed since 2014 Stricter data regulations are now in place, particularly in Europe, though tighter controls are expected to be implemented in most countries.

"Think of the compliance problems," said Pravin Kothari, CEO of cloud security company CipherCloud, in an email. Any company that has enough data to lose the records of 500 million people probably falls under GDPR rules, Kothari said. "What fines may arise from this?"

The Marriott breach could prompt a tightening of U.S. breach laws as well. The Treasury Department is working with state governments and consumer groups over the mix of national and state breach laws. And Marriott's breach announcement sparked a call for tighter data security laws from U.S. Sen. Mark Warner, D-Va.

"We must pass laws that require data minimization, ensuring companies do not keep sensitive data they no longer need," Warner said in a press release. "And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting form these lapses."