Marriott gets breached again – what can businesses learn?
The compromised information included contact details, loyalty account information, personal data, and guest preferences.
From mid-January till February 2020, login credentials of two employees at a franchise property were used to access an ‘unexpected amount’ of guests’ personal information. The hotel disabled both credentials immediately and begun an investigation upon discovery.
Currently, the hotel has said that it has “no reason to believe” that payment information, account PINs or personal identification information were compromised. But the breach will have done nothing to improve the hotel chain’s already damaged reputation.
Lightning struck twice for Marriott. It suffered a massive breach in 2018 – personal details of 500 million customers were stolen, leaving the hotel with a hefty fine to pay of US$152 million by the ICO.
With both breaches happening within such a short period of time, it’s easy to chastise the hotel – but the fact is that it could happen to anyone (the same fate befell aviation giants British Airways and Cathay Pacific in 2018 and 2020), and all could stand to learn from Marriott’s experience.
Here are a few pointers businesses can take from Marriott’s dual misfortune
# 1 | Time is of the essence
In the first major breach, Marriott Group CEO, Arne Sorenson, said that hackers had been in Marriott’s system since July 2014, but the team only realized it in September last year, after engaging third-party providers.
They also waited for three months before revealing this breach – and it costed them dearly.
The second time round, however, Marriott’s security team managed to minimize dwell-time and they reported the breach early, which significantly reduced the number of potentially impacted customers.
# 2 | Simple techniques can be deadly
Credential abuse (especially privileged ones) is an extremely popular breach strategy – most data breaches are caused by some form of insider threat.
While financial data was not stolen in Marriott’s case, the information obtained was still incredibly valuable, and could be used for phishing attacks.
A “never trust, always verify, enforce least privilege” approach should always be taken in security, and CIOs can proactively avert potential breaches by running audit sessions and mandating measures like multi-factor authentications (MFA).
# 3 | Plan, plan, plan
Marriott’s misfortunes highlight the importance of having detailed, updated threat models.
It might have been a challenge for Marriott to detect credential misuse as many employees have access to customer data, but if the hotel had adequate monitoring controls, they might’ve been able to spot the problem in good time.
Some key behaviors to look out for could include the time of day data was access, scope of access, and if data was accessed in line with the SOPs in place.
Organizations will also need to know their IT environment inside-out, and ensure that employees are fully aware of the implications of poor security practices.
The current surge in remote working calls for unprecedented levels of vigilance.
Attackers won’t wait until a business is stable to launch an attack, and companies are most vulnerable when they are in the midst of change.