Marriott Breach Highlights Need for Better Identity Practices to Protect Against Account Takeover and Identity Impersonation

The Marriott data breach, in which 500 million guests lost personal and financial details over a four-year period, highlights the need for stronger identity proofing procedures and strong, hardware-based strong authentication to limit the use of stolen data for account fraud and identity impersonation, the Secure Technology Alliance said today. The Alliance is a cross-industry organization working to educate on the appropriate uses of secure technologies to enable privacy and data protection.

The Marriott breach should be looked at as a watershed moment for identity, similar to what the 2013 Target breach was for payments. Just as the Target breach was the catalyst for a payments infrastructure overhaul and introduction of EMV chip cards, the Marriott breach should serve as signal that it is time for an identity security overhaul.

Consumers and businesses should be aware that all personally identifiable information, or PII, has utility for cyber criminals. Information that may be seen as basic, like an email address, can be used to perpetuate targeted social engineering, phishing and other attacks that can result in identity impersonation and financial theft. As the introduction of chip cards has reduced in-store counterfeit card fraud[1], cyber criminals looking for new fraud avenues have turned to account takeover using the mass amounts of personal data stolen in data breaches and now available on the dark web. As a result, account takeover tripled in 2017[2], reaching a four-year high.

The introduction of chip cards in the aftermath of the Target breach was not about preventing data breaches, but about acknowledging the availability of stolen payment data and then minimizing its use by criminals. Similarly, while businesses still need to invest in technologies to protect against breaches, it is important to acknowledge that mass amounts of identity information is now available on the dark web and start to act to minimize its effective use by criminals.

As breaches like Marriott continue, consumers are now understanding the sheer amount of personal data that businesses retain and then lose in breaches and will be demanding stronger security measures. There are several actions that businesses need to take to better protect data and minimize fraud risks:

• Institute more stringent identity proofing procedures to prevent new account fraud, looking to NIST’s SP 800-63-3 for guidance
• Give consumers the option to use multifactor authentication to combat account takeovers
• Mandate hardware-based strong authentication backed by cryptographic security with a smart card or FIDO security key for all employees authorized to access data
• Encrypt all data and store encryption keys locally – not in the cloud where it is vulnerable to theft

The Secure Technology Alliance is committed to developing and sharing best practices around security, privacy and data protection. The Secure Technology Alliance plans to engage the industry in further discussions in 2019 and begin putting forward recommended best practices on identity proofing and authentication that the industry can adopt as a whole.