A politically inclined attack or just a ‘simple’ lack of security awareness?
Whatever the case, the cyber-attack that hit Marriott was huge. This was the joint second largest data breach to take place, after Yahoo in 2013 and Equifax in 2017. A cyber attacker stole personal information including names, emails, addresses, passport numbers, and credit card information of Marriott’s guests. All this lasted for four years! The data breach, which affected approximately 500 million guests (yes, million), was made public in late November 2018, two months after it was discovered by the hospitality giant.
The amount of data that was stolen from the Starwood Hotels (a company purchased by Marriott in 2016) system of reservations was massive. And what’s most surprising and shocking is that the first breach went undetected for four years, and thus the Starwood Hotels was still purchased and no attention was payed to the breach issue.
By purchasing Starwood in 2016, Marriott became the largest hospitality company in the entire world, but it also suffered some side effects of this expansion since cybercriminals had penetrated the reservation systems of Starwood back in 2014 – undetected! According to Bloomberg Intelligence, “the company could face up to $1 billion in regulatory fines and litigation costs”.
Since the news originally came out, news came out that even the Marriott’s own security team was hit by an attack in June 2017. Clearly, something does not add up.
Another ‘not-so-controversial’ side to this story is that the data breach attack on Marriott hotel was politically influenced. The New York Times reported that the hackers were suspected of working on behalf of the Chinese Ministry of State Security. “The cyber attack on the Marriott hotel chain that collected personal details of roughly 500 million guests was part of a Chinese intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to two people briefed on the investigation.”, the article further added. Surely, this side of the story will take a while until it unveils the whole picture.
In addition, in an emailed statement, Marriott spokeswoman Connie Kim stated “Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests,” She further added “We have no information about the cause of this incident, and we have not speculated about the identity of the attacker.”
The dearth of Security awareness
Taking into consideration how the story unfolded, anyone can blame and criticize Marriott and even Starwood for what seems like a line of big errors. Yet, the reality is that nowadays, it could occur to any business or company. Cyber Security preventive measures have become a lot more sophisticated than they used to be, but so have the cybercriminals. Basically, it’s a chicken and egg scenario. We are aware of the fact that legitimate companies are kept in ‘chains’ by laws – criminals are not. Unfortunately, this puts criminals at a highly favorable position to innovate and stay ahead of the good guys. The security teams, in this case, are playing a constant and dangerous game of catch-up which at some point will be catastrophic, as it happened with Marriott.
The main current issue in this aspect is the fact that security is still not a top priority for the top management of organizations. Despite having prominent organizations constantly being attacked, – such as it occurred in 2018 with Ticketmaster, Under Armour, British Airways and more, and a “when not if”, caution being typified by the security industry for many years now – many businesses have not yet realized the vital importance of security.
Simply put, the fact that a security review may have not been part of the Starwood purchase by Marriott, – or if it was, it was not conducted properly – is further evidence that security has not been given the right importance during the last few years.
The wrong right turn – Boost Security awareness?
A research conducted by Bromium in 2018 suggested that the average corporation spends $16, 8 million annually for security. The major investment from this cut goes to “the human cost of maintaining cybersecurity systems”. This research indicates that security spending from enterprises has been fairly reasonable, but what we need to do is increase each and every employee’s awareness. Security teams are in a constant war with cybercriminals and on most occasions, they have to overcome and face cases that they’ve never seen before.
The ways in which skills to counter cyber-attacks are taught and people are recruited are not continually updated, and are not based on precedent-based case studies such as Equifax, Marriott, Yahoo and so forth. As soon as some particular cyber skills are taught, they become irrelevant because hackers have updated their tricks and are far ahead.
What we need to do is start implementing standards and frameworks that are updated and actually have a direct impact on security teams, security systems and intellectual property of enterprises.
When the organization holds constant awareness sessions, staff-training sessions, implements comprehensive ISO standards such as ISO 27001 and ISO 27032 to protect its data, its cybersecurity program should be robust enough to prevent the majority of Cyber-attacks that the organization might face. Organizations should also perform annual assessments with groups of ethical hackers so they can be ready when a real attack happens.
Don’t feel safe about your intellectual property? PECB is here to ensure that you have implemented detail-oriented models and continual operating efficient structures that derive from ISO standards, which help you, prevent these types of attacks. Get certified with ISO 270001 Information Security Management Systems and ISO 27032 Cybersecurity and keep your data safe.
Ardian Berisha is the Senior Market Intelligence and Webinar Manager at PECB. He is in charge of conducting market research while developing and providing information related to ISO standards.