The implications of the recent Marriott hack go far beyond those of your average data breach. This megabreach of 383M records doesn’t just compromise sensitive data for the sake of fraud or financial gain, it paints a frightening picture of international espionage and personal privacy.
When news broke that hackers working on behalf of a Chinese intelligence agency may be responsible for the Marriott breach, questions abounded. Why would China be interested in loyalty program data by the millions? And why hospitality data?
Could You Be A Target?
Let’s be frank: Foreign intelligence agency actors aren’t exactly interested in earning a free night’s stay at a Marriott property. The answer is potentially far more nefarious. The fact is, data collected from breaches are but one piece of a larger, darker puzzle. Stolen customer data—when combined with travel data (see Delta, Cathay Pacific, and British Airways hacks, among others) and other sources of online personal information (i.e., what we share across social media platforms)—enable intelligence agencies to build profiles on individuals. These profiles can then be leveraged to recruit potential informants, as well as check the travel of known government and intelligence officers against their own government to identify moles.
It’s also critical to note that heads of state and other political VIPs are no longer foreign intelligence agencies’ only marks; ordinary citizens are similarly targeted, especially those who may have unfettered access to troves of company Intellectual Property (IP) that a foreign government may want for their domestic economy.
For example, if you work for a cloud storage company whose customers’ data is in an area of interest to an intelligence agency, you may very well become an object of interest. For example, in the FBI’s most recent indictment against foreign intelligence services, Zhu Hua and Zhang Shilong were charged on acting on behalf of the Chinese Ministry of State Security for stealing personal information and IP from companies in various industries including banking and finance, telecom, consumer electronics, healthcare, biotech, automotive, oil and gas, mining and the U.S. Navy.
The Hua/Shilong case is just the latest example of foreign intelligence agencies playing a game of chess while the U.S. is playing checkers. 2018 demonstrated this multiple times: In March, the Justice Department announced that Iranians had, through years-long cyberattacks, stolen intellectual property from over 300 U.S. universities and companies. In July, several Russian agents were indicted for election hacking and in September, North Korea was accused of trying to hurt the U.S. economy through a hack. And, of course, in December, the U.S. government accused China of the Marriott megabreach. But 2018’s record isn’t unique; France was accused of stealing U.S. IP for French companies in 2014 by the U.S. Secretary of Defense.
In the case of Marriott and other large enterprises like it, CISOs and C-suite executives are focused on individual pieces of data lost, versus the sum of what that data can reveal about an individual as a whole, putting them (and us) at a significant disadvantage. Indeed, the entirety of the digital footprint we create, which can be used to impersonate us or to profile/create leverage on us, is greater than the sum of the individual data parts. Consumers likewise don’t typically consider the bigger picture their personal data paints, regarding their travel patterns, purchasing habits, hobbies, (not so) hidden secrets, social causes and more. Add in breach burnout, wherein the public has become desensitized to countless stories of data exposure, and a perfect storm for harvesting operatives and stealing IP emerges.
Look at the Whole Picture
Until enterprises view data holistically and realize that any company with valuable IP could be the target of a foreign government on behalf of that company’s foreign competitors, they will continue to play into the hands of transnational threat actors at the expense of consumer safety and national security.
It is critical that organizations incorporate cybersecurity into every fabric of the business, from the C-level down, including training and education, as well as seeking expertise from security service companies who understand how to protect organizations from the capabilities of foreign intelligence groups. And that education must include an understanding how personal, government and business-related information can be used by foreign intelligence agencies, and how corporate IP may be of value to foreign competitors. Whether it’s a game of chess or an intricate puzzle, individuals must look beyond the breach at hand and grasp what’s around the corner.