In a recent court hearing, Marriott International confessed that contrary to previous claims, it had not encrypted the personal information of 500 million guests compromised during a data breach in 2018. Initially, Marriott asserted that the data was secured using Advanced Encryption Standard (AES-128), a robust encryption method. However, it has now been revealed that the data was instead “protected” using the Secure Hash Algorithm 1 (SHA-1), which is not an encryption technique and is considered vulnerable to security breaches.
This significant lapse in data protection came to light during a legal proceeding brought by customers affected by the breach. The judge has mandated that Marriott update its website to correct the misinformation, a directive Marriott complied with by amending a 2019 webpage. However, the company did not proactively notify its customers of this correction.
The oversight raises serious questions about the effectiveness of the security audits conducted by prominent third-party firms, such as Accenture, Verizon, and CrowdStrike, who failed to identify the absence of actual encryption. Marriott’s legal representatives have suggested that the company only recently recognized the issues with its previously reported security measures.
Security experts criticize Marriott’s handling of the breach, emphasizing the need for rigorous security protocols and honest communication with customers. This incident underscores the importance of stringent security measures and the need for corporations to be transparent about data protection practices to safeguard consumer information effectively.