The Marriott Data Breach

Marriott Unsure How Many Hundreds of Millions of Guests Got Screwed by Data Breach: Gizmodo

2019 kicks off in much the same vein as 2018 ended … I know, surprising isn’t it? I’m guessing we haven’t yet finished with Facebook yet, and the backlash towards Google is only just starting. Others are on the radar and will inevitably start appearing during 2019. The fallout from the Marriott breach is not stopping too as evidenced in the linked article.

At the crux of Marriott’s initial estimation of numbers of guests affected, was a simple issue around duplication of data. Marriott revised the numbers of guests from around 500 million to around 380 million. Let’s take stock for a second. That’s 120 million less! In terms of correction rates, it’s even more surprising and hard to excuse, which, by simple calculation is around 32%, ignoring for double, triple or more errors.

That is, around one in three times a guest visits a Marriott Hotel, there is an error in data collection that creates a duplication in their database. And who knows if they’re selling this data elsewhere. I took a quick look at the T&Cs of the rewards program and haven’t found it specifically stated, but I have little trust in that being the last word.

Setting aside the fact that they had a security breach, as of now it’s hard to see if they were abject of responsibility or simply unlucky, we can see there are always two affected sides to these stories. One, the affected guests (Credit-card information, Passport numbers and other personally identifiable information freely circulating on the internet) and two, the company itself (reputation, ‘alternative’ revenue streams etc.).

Clearly, some of the fallout from this incident is going to require Marriott to be a better data-citizen, collecting, normalising and rationalising its data how it should have done it in the first place.

If we look at the data collection at check-in as a technical problem to solve, there really is no debate. For decades companies have manipulated data correctly in their database systems, identifying doubles and eliminating them is bread and butter for good data management. The new generation of data-rich companies would do well to look at these incidents and try and identify areas they themselves can improve.

Of course, companies are unlikely to be motivated to do just that if they’re selling data by the numbers rather than the quality.

8 January 2019, F.W.I