Dem lawmaker: Marriott ‘in the dark’ about massive data breach

Rep. Jamie Raskin (D-Md.), whose district is home to Marriott International, says the company is still struggling to understand the massive data breach that may have affected 500 million customers.

“Marriott seems to be still be in the dark about a lot of what happened,” Raskin told The Hill on Monday. “My sense is that Marriott has tried to be as transparent as it can be but they don’t have a clear idea as how it happened.”

The Maryland Democrat said he called and spoke at length to the company’s CEO on Friday, the day the breach was disclosed.

{mosads}“I was very troubled about it when I heard it,” Raskin said of the news. “I thought it was a typo when I read that it affected 500 million people.”

Marriott announced Friday that it is investigating the hack to its reservation system that may have allowed access to personal data on 500 million people, including their names and phone numbers.

The hack is only the latest in a number of breaches targeting high-profile American companies in recent year. In 2018 alone, data breaches have hit Facebook, Google Plus, Orbitz and Under Armour.

Momentum has been growing in recent years for lawmakers to push a national data privacy law with requirements on when companies should disclose breaches to customers.

“For me, it raises the whole question about if we need a national data privacy law that protects peoples rights and information. It’s something that we’re exploring now,” Raskin told The Hill.

The European Union has already passed data privacy legislation, the General Data Protection Regulation, which took effect in 2018.

It “made me think we could use something like in the U.S.,” Raskin added.

But in the U.S., the states have been taking the lead on data privacy, with California passing the nation’s toughest laws earlier this year. That has worried business, which fears a patchwork of laws across the country.

Raskin said Marriott CEO Arne Sorenson said Starwood customers in particular were affected. Marriott acquired Starwood Hotels & Resorts Worldwide just over two years ago.

“That tells me that they obviously did not undertake comprehensive data security precautions when the buy out took place,” Raskin said.

Sorenson assured Raskin “that they’re taking it very seriously and they’ve set up this website that people can go to to get frequent updates about the situation and what they can do in order to protect their data,” the lawmaker said.

But the CEO explained that it’s still unclear how the breach happened.

“As he explained it to me, the data breach took place by hackers who essentially covered up their tracks on the way out,” said Raskin. “They’re not aware of who the bad actor is here. It could be a criminal gang, it could be a foreign government, it could be almost anybody.”