Marriott Data Breach is a Warning for Financial Firms

Topics: Corporate Legal, Cybersecurity, Cybersecurity & Data Privacy, Data Privacy, Data Security, Financial Crime, Government, Risk Management, Thomson Reuters

forum magazine

Banks have avoided the major scandals over misuse of personal data and massive data breaches hitting social media and other sectors. But the threat is growing as bad actors become more sophisticated in their use of technology and dark markets to turn data into cash, and banks’ digital operations expand to unfamiliar territory.

The recent Marriott International data breach hit close to home for financial firms, exposing the personal financial data of 500 million customer accounts typically linked to bank-issued credit cards. Under the European Union’s General Data Protection Regulation such a large-scale cyber-event could result in billion-dollar fines.

The obvious takeaway from the case was that cyber criminals go where the money is — and Marriott’s trove of high-end frequent travelers offered a rich prize. The breach also showed the evolving threat of cyber-criminals using high-tech skills to devastating effect.


In a new article by Richard Satran of Thomson Reuters Regulatory Intelligence, he offers 5 lessons that financial firms can take away from the Marriott Data Breach.


Financial services firms have a long history of protecting financial assets but have less experience in guarding shared data. The recent past has shown that personally identifiable information is coveted and can easily be turned into cash on the dark web. And rogue state-funded hackers suspected in many of the incidents may be the most difficult to thwart.

Bank compliance officers report that they routinely catch many hackers; but the Marriott case showed that sophisticated hackers working like a sleeper cell inside a company’s network left the company less protected than it realized.


This blog post was written by Richard Satran of Thomson Reuters Regulatory Intelligence. You can find out more about Thomson Reuters Regulatory Intelligence here.