Marriott’s admission of using SHA-1 instead of AES-128 encryption during the data breach has raised serious questions about the adequacy of its security measures. This revelation, made during a court hearing, prompted a judge to order Marriott to correct the misinformation on its website within seven days. However, Marriott made no public announcement about the correction, only updating a five-year-old webpage with the amended details.
The use of SHA-1, known for its vulnerabilities, instead of AES-128 encryption has significant implications for the security of the compromised data. Plaintiffs’ attorneys argued that this misrepresentation hindered fraud investigations, as card brands like Mastercard and VISA stopped probing for widespread fraud under the assumption that the information was encrypted. This could potentially impact the ability to uncover evidence crucial for legal proceedings.
Despite Marriott’s assurance that no information was permanently lost, concerns remain about the integrity of the data and the potential consequences of the misrepresentation. The revelation also raises broader questions about Marriott’s representations to its underwriters and during M&A due diligence, with potential legal repercussions and impacts on stock prices looming. Additionally, the technical oversight of using SHA-1 instead of AES-128 encryption underscores the need for robust cybersecurity practices in safeguarding sensitive data.
