Privacy Fines for Marriott – Can End-to-End Encryption Help?

Regulators hit Marriott and British Airways with massive privacy fines. This is related to the relatively new privacy law known as GDPR, which requires increased security. You might be asking yourself, “What kind of security would have helped avoid these privacy fines?” End-to-end encryption? Better firewalls? Better coding?

The damage:

  • Marriott: $124 million (£99 million) privacy fine
  • British Airways: $230 million (£183 million) privacy fine

Let’s look at a little background on these fines and what went wrong and what kind of security would have helped.

How Can This Happen – Marriott / Starwood

Marriott’s Starwood brand was hacked and hundreds of millions of guest records were stolen. This is resulting in a huge privacy fine. Starwood used strong encryption, but reportedly screwed up its key management implementation. How could that happen in this day and age? In fact, mistakes in implementing standard encryption are extremely common. According to Wired:

The credit card numbers were encrypted with the algorithm AES-128—a reasonably robust choice—but Marriott says the attackers may have also compromised the decryption keys needed to unlock the data.

Bad key management often undermines good encryption. Developers consider key management way too late in the design process. This results in unacceptable compromises which amount to locking your front door, but leaving the key under the welcome mat. Read our article on key management to learn how to not make this type of mistake.

An end-to-end encryption system like TozStore could have saved hundreds of millions of dollars in privacy fines for an attack like this. With our JavaScript SDK, Marriott could have encrypted the data in the browser (e.g. based on the user’s password) as soon as it was typed in.

In this approach, decryption keys are held only by the user and any back-end system that needs to actually process the data. This keeps the keys far, far away from the database that was breached. It massively reduces the attack surface since most systems don’t have the decryption keys. It’s much stronger than just HTTPS.

End-to-end encryption can help avoid a huge privacy fine

End-to-end encryption can help avoid a huge privacy fine

On top of that, use of a Hardware Security Module to protect the keys would have taken the security to the next level.

Not Enough Defense in Depth – British Airways

Similarly, British Airways will be hit with a $230 million (£183 million) privacy fine. Data from hundreds of thousands of consumers was collected by hackers who probably injected trojan JavaScript into the forms while people were booking flights. Those of you who follow our security guides will recognize that script security best practices were probably not followed. We provide guidance on security best practices, so check them out.

Obviously, we strongly recommend end-to-end encryption to protect the privacy of your users. But would that have solved the problem in this case? It couldn’t have hurt, but on the modern web, JavaScript is often loaded dynamically, and can get into the system before encryption actually occurs. Apparently their mobile app even dynamically loaded JavaScript. End-to-end encryption would help with defense in depth, but not address this specific attack.

So if hacker can target the “ends,” what’s the role of end-to-end encryption? If you consider the WhatsApp hack from May, we can see why it’s so important:

Targeting Individuals vs. Massive Data Hacks: WhatsApp

End-to-end encryption makes the bad guys target individuals rather than being able to collect massive amounts of data. And this means it costs bad guys more money, impacts fewer users, and reduces or eliminates fines.

As we saw in May 2019, a vulnerability in the WhatsApp app allowed bad guys to get data from high-profile targets. This happened even though WhatsApp uses end-to-end encryption. The difference between that hack and these? Very, very few people were impacted; probably only a few dozen.

The security of WhatsApp meant that data couldn’t be stolen “on the wire,” it couldn’t be stolen “in the database,” and it couldn’t be stolen by using social engineering against some WhatsApp employee. The users themselves had to be targeted. This is exceptionally difficult to do. The return on investment to the attacker is bad: It costs a lot of money to develop the exploit. Once those vulnerabilities are used, they are then quickly discovered and fixed.

I’d rather make the bad guys spend millions of dollars to hack a few people, so use end-to-end encryption to make their job hard and your job easier.