As details emerged about the latest “massive data breach”—this time at the Marriott International hotel chain—database experts and security technology executives speculated on how it could have been avoided and reflected on what needs to change to prevent similar data security lapses.
The breach has come to light at a time of heightened awareness of the risk of personal data mishandling. Increasingly stringent data breach and notification laws such as the EU’s General Data Protection Regulation, Canada’s Personal Information Protection and Electronic Documents Act, and the California Consumer Privacy Act of 2018, among others are demanding greater care in handling data and threatening to hand out stiffer penalties to organizations that fail to comply.
"The frequency and size of data breaches continue to grow unabated," said Craig S. Mullins, president and principal consultant, Mullins Consulting, Inc. "This breach of sensitive information by Marriott is perhaps the largest yet—anyone who made a reservation at a Starwood property could be affected. Organizations can avoid most of these breaches with proper encryption, masking, and auditing software but these type of tools are not pervasively implemented. That is why we need regulations that force proper data protection."
The hospitality industry seems to be especially vulnerable to data breaches, and needs to up its data management focus, added ASG VP of marketing Rob Perry. "Personal data is a critical resource. The Marriott breach is just the most recent in a string of hospitality industry breaches (Radisson suffered one in September, as well), showing that organizations are under continual attack and must remain diligent in protecting the privacy of their customer’s data. While it’s not clear why Marriott took several months to understand the extent of the breach, but data management practices that create a comprehensive view of the data estate and data flows can help organizations better understand what data was breached and also to identify where vulnerable data resides so it can be better protected."
According to the Marriott, in this case, the personal information of up to 500 million guests going as far back as 2014 had been compromised.
Marriott International has more than 6,700 properties across 130 countries and territories, and is headquartered outside of Washington, D.C. in Bethesda, Maryland.
The hotel group was informed in September about an attempt to access the database, and a subsequent investigation showed that unauthorized access had been made to the Starwood guest reservation database.
Marriott International purchased the Starwood Hotel chain for $13 billion in 2016, adding Starwood's Sheraton, Westin, W, and St. Regis properties to its Marriott, Courtyard, and Ritz Carlton brands.
Marriott explained in a statement: “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”
“From what has been disclosed, it appears this breach started in 2014, prior to the Marriott acquisition of SPG,” said Gates Marshall, director of Cyber Services, CompliancePoint. “In theory this should have been identified as part of a cyber risk assessment conducted during the M&A activities. It’s likely that the different corporate entities had different levels of security maturity and this issue was obscured as the company worked to merge systems. Whatever detective controls were in place, like security alerts, may not have been applied to all assets. There was a purported breach of the Marriott incident response team in 2017 (https://twitter.com/malwrhunterteam/status/881089396124078080) that should have triggered a thorough review which may have identified this. In the end, attackers can be very advanced and the commotion around M&A homogenization activities created enough fog for this incident to last for 4 years.