">
TechMoran
  • About Us
  • Deals
  • Jobs
  • Motoring
    • Money
  • Pitch Your Startup
  • Submit Your Post
  • Freelance Gigs
  • Travel
  • Men’s Corner
  • Dating
Saturday, January 16, 2021
  • Startups
  • Reviews
  • Insider
    • Obituaries
  • Business
  • Women
  • Blockchain
  • Columnists
  • Hacks & Facts
    • How To
  • Editions
    • US Edition
    • India Edition
    • MENA Edition
    • Asia Edition
    • Europe Edition
    • International Edition
No Result
View All Result
TechMoran
">
Home Columnists

Lessons Learned from the Marriott Data Breaches

Meryl D’Sa by Meryl D’Sa
9 months ago
in Columnists
12 min read
0

Collecting customer data is vital to the operation of many large organizations. However, it is the responsibility of these organizations to properly secure the data that they collect against compromise.

A failure to do so can have a dramatic impact on an organization’s public image. In March 2020, Marriott hotels announced its second major data breach discovered within two years. Both of these data breaches were enabled by a failure by the company to follow simple data security best practices and serve as an example to other organizations entrusted with their customers’ sensitive and personal data.

Inside the Marriott Data Breaches

Within the last couple of years, Marriott has made headlines, and not in a good way. The hotel chain has discovered two major data breaches since 2018, which have breached the personal data of millions of its guests.

  • The First Breach

In September 2018, Marriott discovered the first of its two data breaches. The organization responded to a security alert indicating that someone was making an unusual request to an internal guest database.

Further investigation revealed that a breach of the Starwood hotel brand’s network occurred in 2014. Two years later, Marriott acquired its competitor and began consolidation of the two brands’ systems. However, in 2018, when the breach was discovered, Marriott had not yet migrated Starwood’s data to its own customer reservation management system.

Investigation of the data breach revealed that a cybercriminal, who had access to Starwood’s systems for four years, had managed to access and decrypt data files containing the personal information of over 500 million guests. Affected data included:

READ  How To Sell On Amazon FBA For Beginners - 2019 Guide

Related posts

Growing Kenyan entrepreneurship – the digital programmes and projects that are shaping the future

January 13, 2021
0

5 Ways to Make Your Office Space Appear More Professional

December 21, 2020
0

Common VPN myths debunked

December 18, 2020
0

Best File Recovery Software for macOS Big Sur

December 14, 2020
0
  • Personal information
  • Credit card numbers
  • Passport numbers

While the Starwood breach occurred before Marriott acquired the company, Marriott failed to discover the breach during due diligence, and the breach continued for over two years after the acquisition. Since the breach was discovered after the start of enforcement of the European Union’s (EU’s) General Data Privacy Regulation (GDPR), the company was assessed a fine of over $120 million by the Information Commissioner’s Office, the UK government agency in charge of GDPR enforcement. This is in addition to the direct costs of the breach and potential losses in revenue, which could total billions of dollars.

  • The Second Breach

The second Marriott data breach was announced at the end of March 2020. This breach affected up to 5.2 million Marriott guests and occurred due to a failure to properly monitor and control access to an application used by the company.

In this second Marriott breach, the cybercriminal behind the attack managed to compromise the user credentials of two employees at a Marriott franchise hotel. These credentials were used to access an application used by the hotel chain to manage guest information. As a result, the hacker was able to access the personal data of 5.2 million guests, including:

  • Contact details (name, address, email, and phone number)
  • Loyalty account information (account number and points balance)
  • Personal details (gender, company, birthday)
  • Preferences (language and room preferences)
READ  Ways Technology is Transforming the Landscaping Service Industry

While not every data value was available for every guest, it still represented a significant breach of sensitive guest information. The organization is likely to suffer penalties under the GDPR and the California Consumer Privacy Act (CCPA) as well as other privacy regulations and lawsuits. However, since payment card data was not exposed, the Payment Card Industry Data Security Standard (PCI DSS) does not apply.

Data Security Takeaways from the Marriott Breaches

The details of the two Marriott breaches are very different. In one breach, a cybercriminal breached a competitor of the company, and the organization inherited the breach and its impacts after failing to discover it during the merger process. In the other, the organization’s own systems were compromised when a cybercriminal stole the user credentials of two employees and used them to access an application containing the personal data of the hotel chain’s guests.

However, at a high level, both breaches are similar and demonstrate the importance of implementing strong data security. These data breaches could have been prevented by implementing simple data security measures:

  • Robust Antivirus: The attackers in the first Marriott breach used Mimikatz to steal login credentials. This is a well-known hacking tool that is detected by many antivirus programs.
  • Secure Encryption Key Management: In the first data breach, the decryption key for Starwood’s reservation data was stored alongside the data.
  • Database Monitoring: While the Starwood breach was eventually discovered by monitoring database access attempts, behavioral analysis of access attempts likely would have discovered it more rapidly.
  • Including Cybersecurity in Due Diligence: When performing due diligence before the merger, Marriott did not discover the Starwood breach.
  • Multi-factor Authentication: Two compromised passwords made the second Marriott breach possible but implementing MFA could have prevented it.
  • Third-party vendor management: The second Marriott breach involved compromised credentials from a franchisee. Monitoring third-party access to internal systems for behavioral abnormalities could have detected the breach more rapidly.
READ  How mobile games became what they are today?

Ensuring Data Security

Companies like Marriott regularly collect massive amounts of data regarding their customers as part of normal business. They are responsible for protecting this data as well, and new data protection regulations like the GDPR and CCPA are designed to ensure that they do so. Marriott suffered multiple data breaches due to a failure to follow simple data security best practices. These failures have cost the company dearly in regulatory penalties and lawsuits, as well as the potential for lost future sales.

Readers 3,751

Share

  • Click to share on Telegram (Opens in new window)
  • More
  • Click to share on Tumblr (Opens in new window)
  • Click to print (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Pinterest (Opens in new window)
  • Click to share on Reddit (Opens in new window)
  • Click to share on Pocket (Opens in new window)

Like this:

Like Loading...

Related

Meryl D’Sa

Meryl D’Sa

Related Posts

Columnists

Growing Kenyan entrepreneurship – the digital programmes and projects that are shaping the future

January 13, 2021
0
Columnists

5 Ways to Make Your Office Space Appear More Professional

December 21, 2020
0
Columnists

Common VPN myths debunked

December 18, 2020
0
Columnists

Best File Recovery Software for macOS Big Sur

December 14, 2020
0
Bitcoin

How Online Gaming Is Pushing a Wider Bitcoin and Crypto Adoption

December 14, 2020
0
Columnists

2021 Upcoming Mobile Games

December 14, 2020
0
Columnists

BOC 3 Filing Process in the Transportation Industry

December 14, 2020
0
Columnists

Rights That Kids of Divorce Deserve

December 11, 2020
0

https://bit.ly/2VOxuoBhttps://bit.ly/2VOxuoBhttps://bit.ly/2VOxuoB
ADVERTISEMENT

Join our Mailing List

Loading

Recent Posts

realme to release more phones in 2021 to grow its target smartphone market share

January 16, 2021

What You Need To Know To Manage Your Network Effectively

January 16, 2021

Baidu establishes an Intelligent electric vehicle arm to bring autonomous cars on a road near you

January 15, 2021

Adam Molai’s JUA Kickstarter Fund Doubles to $2M to Kickstart African Entrepreneurship

January 15, 2021

History of Binance: The Success and Failure of One of the Most Popular Cryptocurrency Exchange

January 15, 2021
">
">

Follow Us

">

There are many sites out there focused on blowing off some steam, from funny entertainment to thrilling experiences like playing online, in some cases online gaming could grant you the chance to win extra money. We came across rocketpot.io while browsing for a good btc casino online and it left us a very good impression with their wide variety of games and crypto offering.

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

© 2019 Moran Media Group - All rights reserved TechMoran.

No Result
View All Result
  • Startups
  • Reviews
  • Insider
    • Obituaries
  • Business
  • Women
  • Blockchain
  • Columnists
  • Hacks & Facts
    • How To
  • Editions
    • US Edition
    • India Edition
    • MENA Edition
    • Asia Edition
    • Europe Edition
    • International Edition

© 2019 Moran Media Group - All rights reserved TechMoran.

Login to your account below

Forgotten Password? Sign Up

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.
%d bloggers like this: