Lawmakers are fired up after Marriott International suffered what is believed to be the nation’s second-largest data hack, in which hundreds of millions of its customers had their personal data stolen.
The massive exposure of personal information from the brand’s Starwood Hotels reservation database quickly led to calls for tougher legislation to protect customers’ data privacy.
{mosads}Sen. John Kennedy (R-La.) told The Hill on Tuesday that he is crafting privacy legislation to address these kinds of hacks and expressed frustration over the wave of recently revealed, massive data breaches.
Kennedy, who said he is in the early stages of writing the bill, declined to provide details on what exactly it will include. Still, he said that Congress has “got to start” the discussion on holding companies accountable when users’ private data is exposed.
“Right now there’s a lot of chopping, but I don’t see any chips flying. Everybody’s talking, but nothing’s moving in terms of legislation,” Kennedy said.
Marriott International revealed on Friday that it had suffered from a massive hack dating back to 2014, in which the personal data of 500 million of its customers was compromised.
The company says it’s working to address the breach, including starting a website and call center for customers who may have had their data exposed.
Marriott said last week that it received an alert in early September about an attempt to access their Starwood guest reservation database. The hacker “copied and encrypted information” and then took steps toward removing it. That information turned out to be the guest database, according to the company’s investigation of the hack.
The passport numbers of up to 327 million guests also may have been exposed in the breach. Senate Minority Leader Charles Schumer (D-N.Y.) has called for the chain to pay for new passports for those impacted, and a Marriott spokesperson told MarketWatch on Tuesday that it will cover those costs if they determine fraud has taken place.
“Marriott deeply regrets this incident happened,” the company said in a Friday blog post. “Marriott reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities.”
The breach has already caught the scrutiny of both federal and state governments, with New York Attorney General Barbara Underwood (D) announcing just hours after Marriott revealed the hack that she was launching an investigation.
Kennedy expressed concern over the increasing frequency of data breaches, saying that Americans are “becoming desensitized” to their personal information ending up in the hands of hackers.
“In today’s world, I’m not sure you can be 100 percent secure,” Kennedy told The Hill. “But it clearly has to be a priority.”
Marriott is one of just a number of companies hit by significant data breaches that have affected millions in recent years.
Quora announced on Monday that the personal data of roughly 100 million users of the question-and-answer site may have been compromised. Dunkin’ Donuts also announced a breach last week. Orbitz, Under Armour, Facebook and Google are other companies that have disclosed breaches just in the current year.
But the scale of Marriott’s hack has caught the attention of lawmakers from both sides of the aisle and raised questions about whether companies are improving their handling and response to breaches.
Republicans on the Senate Commerce Committee sent a letter on Tuesday to Marriott International CEO and President Arne Sorenson requesting details on the extent of the data breach and what steps the chain is now taking to protect customers’ data.
On the other side of the aisle, Sen. Ron Wyden (D-Ore.) seized the opportunity to tout drafting legislation to create stricter penalties for companies that have been hacked.
“If history is any guide, @Marriott’s mega data breach will be treated like all the others: the company will apologize & offer useless credit monitoring to the victims impacted. The status quo isn’t working,” Wyden tweeted Friday.
Rep. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee and the panel’s likely incoming chair, also sent a letter to the Marriott CEO this week, requesting a meeting to discuss the breach.
“I am disturbed by the evolving scale and scope of data breaches affecting Americans, the types of actors who may be interested in the data, and the nefarious purposes for which bad actors might use stolen data,” Thompson wrote.
Rep. Jamie Raskin (D-Md.), whose district is home to Marriott International, told The Hill on Monday that he believes that the company is trying “to be as transparent as it can be but they don’t have a clear idea as to how it happened.”
Lawmakers’ renewed scrutiny of companies’ data privacy practices comes after Congress repeatedly stumbled in its efforts to address the matter legislatively.
Revelations that 143 million Americans had their sensitive data — including Social Security numbers — exposed in the 2017 Equifax breach similarly sparked a public uproar and calls for change. But despite congressional hearings and broad support, lawmakers failed to pass a bill to protect consumers’ data.
With no federal privacy standard, states are filling the void with their own laws. But that has also brought pushback from businesses who worry about complying with a patchwork of different laws across the country.
The spotlight on data privacy was brought to the forefront again earlier this year following revelations that Cambridge Analytica — the data firm the Trump campaign used during the 2016 presidential election — had obtained and kept the private information of 50 million Facebook users without their permission.
The firm helped the campaign target voters based off the information, sparking a wave of anger at Facebook CEO Mark Zuckerberg and the social media platform over its faulty efforts to safeguard customers’ data from third-party collection.
Whether the Marriott breach can bring Congress to a tipping point remains to be seen.
Kennedy said Tuesday he is frustrated that companies like Facebook haven’t done enough to address privacy and security concerns on their own, suggesting that they are forcing lawmakers’ hands.
“I had hoped that companies, including but not limited to social media companies, would come forward with some ideas for Congress to address this problem, but they haven’t,” he said. “And I think Congress is going to have to address it itself.”
Alex Gangitano contributed.