Following the news that Marriott has admitted that five million customer passport numbers have been lost in a recent data breach, cybersecurity experts commented below.
Experts Comments below:
Matt Aldridge, Senior Solutions Architect at Webroot:
“A key question we need to ask is why do hotels need to store passport numbers? One of the biggest impacts of GDPR was that it forced companies to consider the personal data they hold and ask customers for, whether this data was really needed and if so how to properly protect it. This is an example of too much data being collected and retained.
In some countries there are local government requirements that visitor data is recorded for their domestic security purposes. If this is the case, the relevant personal data should be transferred directly into the relevant intelligence, customs or border control system and should not be retained by the hotel. This is just one example among far too many where data is being requested and stored without proper justification and certainly without appropriate measures in place to protect that data.”
Stephen Cox, Vice President and Chief Security Architect at SecureAuth:
“Personally identifiable information and other sensitive data should always be stored encrypted. The responsibility is on the organisation to deploy a strong encryption strategy coupled with a strong identity governance strategy to ensure that the right people are given the right access to the right information at the right time.Security teams need visibility into who has access to sensitive data, as well as who has had past access to help limit further incidents, mitigate the risk around unauthorised use, and assist in incident response activity. The security industry as a whole must continue to raise the bar in terms of innovation and user experience to make this often maligned process more manageable for organisations.There is also responsibility on end users to remain vigilant of fraudulent activity associated with their identity, as well as how and when they share their personal data.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.