Data breaches are a constant threat to businesses and organizations worldwide that steward sensitive data of all types. Cybercriminals always are working for new and novel ways to outsmart existing security software, creating an arms race in which it seems that most data-protection technologies are just a half-step behind the ones trying to undermine them. Although there is no way to guarantee completely the prevention of a data breach, organizations can and should take steps toward bolstering their data-protection strategies to reduce the risk of compromising the sensitive data in their possession. The consequences for failing to do so are great, as we have seen recently in the cases of Marriott, Equifax, Target, Sony, and many others.
Early last month, Equifax CEO Mark Begor and Marriott CEO Arne Sorenson appeared in front of the Senate Homeland Security Permanent Subcommittee on Investigations to testify about their companies' recent data breaches, which exposed the records of 145 million and 383 million customers, respectively. During the testimony, both CEOs apologized for the breaches and spoke about preventing similar hacks going forward, namely through the prioritization of security company-wide and implementing a stronger data-protection protocol. Sorenson specifically mentioned tokenization as a method for Marriott to stymie future breaches.
“Part of our strategy going forward is to rely on encryption and tokenization,” he told the congressional committee on March 7.
Sorenson also said Marriott was working with the FBI to determine the source and the intentions of the cyber attack. (Reuters reported in December that evidence collected by investigators suggested China might have been behind the attack.)
How It Happened
The Marriott breach originated in the reservation system of a company it purchased in 2016, but the intrusion remained undetected by Marriott until September 2018. According to the original company, Starwood Hotels and Resorts, it was aware of the existence of malware within its systems as of November 2015, and Sorenson testified that evidence of unauthorized access went back as far as July 2014. Had these red flags been addressed promptly and adequately, the effects of the breach could have been minimized. Instead, Marriott chose to keep Starwood’s security infrastructure in place upon purchasing the hotel chain, despite knowledge of at least a history of issues with Starwood’s security, if not the scope and current status of them. Had tokenization been employed earlier by either Marriott or Starwood, the breach might have been prevented altogether.
How Tokenization Could Have Helped
Utilizing tokenization is an effective data-security strategy many organizations are employing to protect their sensitive data and the sensitive data of their customers. Because tokenization replaces the original data with an undecipherable, unrelated token consisting of a randomized number, even if a breach occurs, the tokens accessed by cybercriminals will hold no inherent value. Additionally, tokenization can pseudonymize data, effectively deidentifying it in compliance with many industry and global privacy regulations. So although there’s no guarantee tokenization could have prevented the breach, it still would have protected the nearly 400 million customers whose data was exposed, preventing hackers from accessing or obtaining their sensitive information.