Marriot’s’ 500 Million Data Breach Scandal

A politically inclined attack or just a ‘simple’ lack of security awareness?

Whatever the case, the cyber-attack that hit Marriott was huge. This was the joint second largest data breach to take place, after Yahoo in 2013 and Equifax in 2017. A cyber attacker stole personal information including names, emails, addresses, passport numbers, and credit card information of Marriott’s guests. All this lasted for four years! The data breach, which affected approximately 500 million guests (yes, million), was made public in late November 2018, two months after it was discovered by the hospitality giant.

The amount of data that was stolen from the Starwood Hotels (a company purchased by Marriott in 2016) system of reservations was massive. And what’s most surprising and shocking is that the first breach went undetected for four years, and thus the Starwood Hotels was still purchased and no attention was payed to the breach issue.

By purchasing Starwood in 2016, Marriott became the largest hospitality company in the entire world, but it also suffered some side effects of this expansion since cybercriminals had penetrated the reservation systems of Starwood back in 2014 - undetected! According to Bloomberg Intelligence, “the company could face up to $1 billion in regulatory fines and litigation costs”.

Since the news originally came out, news came out that even the Marriott’s own security team was hit by an attack in June 2017. Clearly, something does not add up.

Another ‘not-so-controversial’ side to this story is that the data breach attack on Marriott hotel was politically influenced. The New York Times reported that the hackers were suspected of working on behalf of the Chinese Ministry of State Security. “The cyber attack on the Marriott hotel chain that collected personal details of roughly 500 million guests was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation.”, the article further added. Surely, this side of the story will take a while until it unveils the whole picture.

In addition, in an emailed statement, Marriott spokeswoman Connie Kim stated “Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests,” She further added “We have no information about the cause of this incident, and we have not speculated about the identity of the attacker.”

The dearth of Security awareness

Taking into consideration how the story unfolded, anyone can blame and criticize Marriott and even Starwood for what seems like a line of big errors. Yet, the reality is that nowadays, it could occur to any business or company. Cyber Security preventive measures have become a lot more sophisticated than they used to be, but so have the cybercriminals. Basically, it’s a chicken and egg scenario. We are aware of the fact that legitimate companies are kept in ‘chains’ by laws – criminals are not. Unfortunately, this puts criminals at a highly favorable position to innovate and stay ahead of the good guys. The security teams, in this case, are playing a constant and dangerous game of catch-up which at some point will be catastrophic, as it happened with Marriott.

The main current issue in this aspect is the fact that security is still not a top priority for the top management of organizations. Despite having prominent organizations constantly being attacked, - such as it occurred in 2018 with Ticketmaster, Under Armour, British Airways and more, and a “when not if”, caution being typified by the security industry for many years now - many businesses have not yet realized the vital importance of security.

Simply put, the fact that a security review may have not been part of the Starwood purchase by Marriott, - or if it was, it was not conducted properly - is further evidence that security has not been given the right importance during the last few years.

The wrong right turn – Boost Security awareness? 

research conducted by Bromium in 2018 suggested that the average corporation spends $16, 8 million annually for security. The major investment from this cut goes to “the human cost of maintaining cybersecurity systems”. This research indicates that security spending from enterprises has been fairly reasonable, but what we need to do is increase each and every employee’s awareness. Security teams are in a constant war with cybercriminals and on most occasions, they have to overcome and face cases that they’ve never seen before.

The ways in which skills to counter cyber-attacks are taught and people are recruited are not continually updated, and are not based on precedent-based case studies such as Equifax, Marriott, Yahoo and so forth. As soon as some particular cyber skills are taught, they become irrelevant because hackers have updated their tricks and are far ahead.

What we need to do is start implementing standards and frameworks that are updated and actually have a direct impact on security teams, security systems and intellectual property of enterprises.

When the organization holds constant awareness sessions, staff-training sessions, implements comprehensive ISO standards such as ISO 27001 and ISO 27032 to protect its data, its cybersecurity program should be robust enough to prevent the majority of Cyber-attacks that the organization might face. Organizations should also perform annual assessments with groups of ethical hackers so they can be ready when a real attack happens.

Don’t feel safe about your intellectual property? PECB is here to ensure that you have implemented detail-oriented models and continual operating efficient structures that derive from ISO standards, which help you, prevent these types of attacks. Get certified with ISO 270001 Information Security Management Systems and ISO 27032 Cybersecurity and keep your data safe.

Enquire Now

Want to know more? Contact us today for any questions.

We will use this information to contact you about this enquiry only and not for marketing purposes.

Comments

Leave a Reply

Table of Contents

Enquire Now

Interested in this course? Let's help you get started.
We will use this information to contact you about this enquiry only and not for marketing purposes.
Click here to download this article.

More Quality Articles

What is risk? There’s a lot of research into all types of risk, but in my experience, I have found that most people and organisations don’t completely gras…
There are 7 Critical Steps to Pass Audits. Carina takes your through these steps.
Introduction Enterprise Risk Management (ERM) is describing a Risk Matrix (ERM Risk Matrix) as a tool for ranking and displaying risks by defining ranges for consequ…
What is a Compliance Management System (CMS)? For organizations seeking growth and long-term success, adhering to compliance obligations is not an option, is a must…
What is ISO 18788? ISO 18788 specifies the requirements and provides guidance for organizations that conduct or contract security operations.Moreover, it provide…
Information Security Management Network segregation is the tool used for dividing a network into smaller parts which are called subnetworks or network segments. Yo…
Information Security Management The popularity of the terms “data controller” and “data processor” has sharply increased in recent years. In part because of the sig…
The ability to predict what the future holds and choosing effectively among varying alternatives lies at the centre of contemporary societies and organizations. Ri…
“Food Safety” refers to the prevention, elimination and control of foodborne diseases at the stage of consumption. In a globalized world, the impact of food safety ha…
Six Sigma Benefits Reducing Waste Improving Time Management Increase Customer Loyalty Boost Employee Motivation Higher Revenues and Lower Costs Six Sigma has prov…
As the threat of energy-resource depletion has emerged, the global demand for energy is increasing constantly. Provided that billions of people still have no access…
Is your Business protected against a breach of data and software? Are you Internationally Certified to be able to prevent hackers from stealing your organization’s v…
The education industry has gone through tremendous changes over the last decades in terms of educational opportunities, teaching methods, availability of reading…
The Three P(’s)illars of Sustainability The concept of the “triple bottom line” was firstly introduced in 1994 by John Elkington, with the idea of organizations pre…