The Song Remains The Same: We Can’t Confirm If The Data Was Encrypted Properly

I open with a statement … “Businesses need to understand that encryption is not a switch that you just enable, and it all works.”

And so, in the past, a data breach would go unreported for months, but those days are past. For Marriott, they found a suspicious encrypted file in September, and they were then were able to decrypt it on 19 November. In it they found sensitive personal information related to their hotel bookings.

In the past, this type of activity might have gone unreported, but these days, with GDPR, companies are required to report and inform their customers within days of an incident being detected. The reporting, though, leaves many questions unanswered, especially on the vagueness about the use of encryption. It is another in a long line of vague reports around the usage of encryption.

If the Marriott data hack [here] shows one thing it is that audit/compliance regimes do not work, and that we have a serious lack of investment in making sure that our data is encrypted. For many companies it has been business as usual after GDPR, and where they continue to run their data infrastructures using non-encrypted data. The current hack relates to the Starwood reservation data, and where the accesses had been going on since 2014. It includes names…