1. SOUNDBITE (English) Justin Cappos, NYU Tandon School of Engineering Professor
"These are not the right people to be storing and trying to protect secure data. If someone can have access for four years and they don't realize it. It's just almost it fundamentally says that they had the wrong security posture and they didn't care about their users security and privacy."
2. Various of W and Marriott hotels
3. SOUNDBITE (English) Justin Cappos, NYU Tandon School of Engineering Professor
"They can effectively transfer that risk to an alternate party by having a party that specializes in managing and storing credit card information other things like this there's tons of different payment and processing vendors
4. SOUNDBITE (English) Justin Cappos, NYU Tandon School of Engineering Professor
"So they just shouldn't have been keeping that stuff in-house. It's a very 101 mistake to make."
5. SOUNDBITE (English) Justin Cappos, NYU Tandon School of Engineering Professor
"Half a billion people's data is now potentially out there for attackers."
6. SOUNDBITE (English) Justin Cappos, NYU Tandon School of Engineering Professor
"It's very much the case that companies don't really care because they really haven't faced major major financial consequences. There are situations where you would assume there should be huge financial consequences, but unfortunately the laws in the United States are really lacking."
Cybersecurity expert and NYU professor Justin Cappos says the security breach that compromised the information of as many as 500 million guests shows that Marriott's Starwood hotels did not care about customer security and privacy.
The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties were also included.
None of the Marriott-branded chains were threatened.
A security breach inside the hotel empire exposed credit card numbers, passport numbers and birth dates for as long as four years, the company said Friday.
The crisis quickly emerged as one of the largest data breaches on record. By comparison, last year's startling Equifax hack affected more than 145 million people.
Analysts were alarmed by the length of time the breach had been going on. Many security breaches span months, an average of 90 to 200 days, but this one began in 2014.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be Starwood Preferred Guest account information, date of birth, gender, arrival and departure times and reservation dates.
Credit card numbers and expiration dates of some guests may have been taken, according to the company.
Passport numbers can be added to full sets of data about a person that bad actors sell on the black market, leading to identity theft.
And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport.
New York's Attoreny General has opened an investigation into the breach.