Here's why data breaches like the one at Marriott are 'treasure troves for spammers'

The massive data breach revealed by Marriott International sheds light on what hackers often do with the personal data they steal, said Long Lu, a cybersecurity expert at Northeastern. Hackers, he said, frequently sell people's names, email addresses, and other personal information to spammers who, in turn, use it steal people's identities or trick people into installing harmful software or buying fake merchandise.

"If you sell a large set of email addresses, along with names or other personal information, that's like a treasure trove for spammers," said Lu, an assistant professor in the College of Computer and Information Science. "Not only do they know what are the valid email addresses that they can send to, but they also have some basic information they can use to better target these email address owners."

Marriott, the world's largest hotel chain, said last week that its Starwood guest reservation database has been hacked and that the personal information of up to 500 million guests had been exposed. The majority of the victims in the Marriott breach, believed to be 317 million people, had a combination of their names, addresses, passport numbers, dates of birth, phone numbers, gender, email addresses, and reservation information stolen.

The methods used to hack the reservation system, the ability of Marriott to protect itself against breaches, and how the stolen data could be used all remain unclear. But Lu said that the hack exemplifies how sophisticated cyberattacks have become, the need for businesses to invest more resources in protecting their data, and the demand for laws that set industry standards for cybersecurity.

"If you're talking about a car, there are very specific safety restrictions and laws in place that require car manufacturers to do their best to make their cars safe," Lu said. "But I don't see an equivalent set of laws for cyber."

The breach affects customers who made reservations at Starwood-brand hotels and resorts between 2014 and September 2018, according to the New York Times. Marriott acquired Starwood, whose hotel brands include Westin, W Hotels, and Sheraton, in 2016. Marriott-branded hotels, which include Residence Inn and the Ritz Carlton, reportedly operate on a different reservation system.

"I frankly was shocked at how big the scale was and how long it was going on for," Lu said. "This is probably, if it's not the worst, definitely one of the worst data breaches that I've seen in recent years."

He said that companies have begun to do a better job at protecting customer data and responding to breaches and recommended that consumers try to protect their personal information by regularly changing their online passwords and monitoring their credit reports.

"Cyberattacks [are] something we cannot completely stop, but we can always do better to try to prevent it from happening or reduce the likelihood for an attack to happen," he said.