Happy weekend, Cyber Saturday readers.
I’m back stateside after a week-and-a-half stay in China, where I helped host Fortune‘s 2018 Global Tech Forum. I hope you understand the absence of last weekend’s dispatch; following the event, I took an impromptu vacation in Hong Kong. Thankfully, I did not stay at a Marriott hotel. Speaking of which.
As you have no doubt heard by now, Marriott disclosed a massive data breach that exposed up to 500 million customer records. Hackers accessed information in the company’s Starwood reservation system, which affected brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and other properties in the Starwood portfolio, the company said. The intrusion apparently began in 2014, two years before Marriott acquired Starwood. This oversight in the M&A process calls to mind another recent, post-acquisition hacker-surprise: Yahoo, whose two mega-breaches remained undetected when the company sold to Verizon last year. Coincidentally, Marriott’s hack is the biggest suffered by a corporation, second only to those at Yahoo.
After news of the Marriott breach came out, Sen. Charles E. Schumer (D-N.Y.) called on the hotel chain to foot the bill and replace people’s passports which were potentially compromised as part of the breach. Marriott quickly promised to cover the cost for as many as 327 million people whose passport numbers may have been exposed. At a fee of $110 per passport, that would put Marriott on the hook to pay up to $36 billion—a price tag equivalent to the value of the entire company, per its market capitalization. A devastating payout.
Here’s the thing though: While seemingly noble, Marriott’s promise is a bunch of baloney. The company said it will follow through on reimbursement only in instances where it “determine[s] that fraud has taken place.” What this caveat conveniently excludes is that Marriott’s hack likely had little to do with fraud and everything to do with espionage. In other words, if you’re a victim, don’t expect remuneration.
As Reuters reported, investigators believe the perpetrators of this attack were Chinese spies. The breach used tools, tactics, and procedures that matched Beijing’s style. The intrusion is said to have begun shortly after a breach of the government’s Office of Personnel Management, which government officials have attributed to China. The Starwood database represents a massive trove of potential intelligence: information on who is staying where, when—a bonanza for building up profiles of targets and tracking people of interest.
Geng Shuang, China’s Ministry of Foreign Affairs spokesperson, issued a statement saying the country “opposes all forms of cyber attack,” per Reuters. He said the country would investigate the claims, if offered evidence. Meanwhile, Connie Kim, a Marriott spokesperson, said “we’ve got nothing to share” about the Chinese attribution claim.
The Marriott breach—which took place quietly over years, as spies prefer—does not appear to have been a cybercriminal score. The passport payment pledge is probably bunk; nevertheless, if you think you might have been affected, it won’t hurt to follow these steps to refresh your cybersecurity hygiene and better protect yourself.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.
Encryption down under. The Australian government passed into law a piece of legislation that would require tech companies to provide law enforcement access to users’ encrypted communications. Cybersecurity pros say the new law will open people’s communications up to spies and hackers.
Q: Who got hacked? Answer: Quora, the Q&A website. The company said data for about 100 million user accounts were compromised, including usernames, email addresses, password hashes, and more. Quora said about 300 million people use the website each month.
GOP infiltrator. During this year’s midterm elections, the email accounts of four senior aides at the National Republican Congressional Committee were surveilled by an intruder, Politico reported. Officials said they did not disclose the breach “because they were intent on conducting their own investigation and feared that revealing the hack would compromise efforts to find the culprit.”
Symantec shakeup. Three top-level executives have recently left the cybersecurity giant: Michael Fey, chief operating officer and president; Michael Williams, chief marketing officer; and Bradon Rogers, head of “go-to-market” teams. In their absence, other executives are taking on expanded duties. Meanwhile, Symantec recently wrapped an investigation that found it had misreported financial earnings, recognizing millions of dollars in revenue in a wrong quarter.
Here are the only 2019 cybersecurity predictions worth reading.
Share today’s Cyber Saturday with a friend:
Looking for previous Data Sheets? Click here
Invasion of the privacy snatchers. An essay recently published by the Niskanen Center, a Washington, D.C.-based think tank that promotes a libertarian agenda, argues against “privacy fundamentalism”: the ideological rejection of any privacy-intrusive technologies without consideration of their potential value to consumers. In the piece, Alec Stapp, the author and a technology policy fellow at the center, critically examines a trend he calls the “privacy panic cycle,” which he says tends to exaggerate the risks of new technologies. (See the backlash over Caller ID in the early ’90s.) Here’s an excerpt.
Many new technologies go through this “privacy panic cycle” (e.g., RFID tags, cameras, loyalty cards). It often begins with advocacy groups — such as the Electronic Privacy Information Center (EPIC), the Center for Democracy & Technology (CDT), Access Now, and others — feeding the natural tendency of media outlets to exaggerate the risks associated with a new technology because audiences love negative news (“if it bleeds, it leads”). As the frenzy escalates, headlines start to declare that the sky is falling. Then, despite the Chicken Little omens, fears begin to diminish over time as reality sets in. The cycle ends — not with a bang, but a whimper — as consumer appreciation of the new technology or service proves the deciding factor in its ultimate widespread adoption.
My favorite bit, not included above, analyzes the unlikely coalition formed between groups motivated by “both virtuous and venal interests,” called “bootleggers and Baptists.” That section is well worth a read.
In the Wake of GDPR, Will the U.S. Embrace Data Privacy? by David Meyer
How the iPhone’s Health App Caught a Man Jailed for Murdering Wife by Don Reisinger
Speak Up: Pindrop Raises $90 Million to Expand Voice Security by Jeff John Roberts
ONE MORE THING
Save the children. Big Tech companies are getting their hands on the data of children thanks to over-sharing parents and surveillance-friendly technologies, like home security cameras, smart speakers, Internet-connected toys, and gaming apps. In a report released in November, Anne Longfield, England’s children’s commissioner, estimated that children on average have 70,000 posts about themselves online by their 18th birthday. “We need to stop and think about what this means for children’s lives now and how it may impact on their future lives as adults,” Longfield argues. (HT to Vox for covering the report.)