Collecting customer data is vital to the operation of many large organizations. However, it is the responsibility of these organizations to properly secure the data that they collect against compromise.
A failure to do so can have a dramatic impact on an organization’s public image. In March 2020, Marriott hotels announced its second major data breach discovered within two years. Both of these data breaches were enabled by a failure by the company to follow simple data security best practices and serve as an example to other organizations entrusted with their customers’ sensitive and personal data.
Inside the Marriott Data Breaches
Within the last couple of years, Marriott has made headlines, and not in a good way. The hotel chain has discovered two major data breaches since 2018, which have breached the personal data of millions of its guests.
- The First Breach
In September 2018, Marriott discovered the first of its two data breaches. The organization responded to a security alert indicating that someone was making an unusual request to an internal guest database.
Further investigation revealed that a breach of the Starwood hotel brand’s network occurred in 2014. Two years later, Marriott acquired its competitor and began consolidation of the two brands’ systems. However, in 2018, when the breach was discovered, Marriott had not yet migrated Starwood’s data to its own customer reservation management system.
Investigation of the data breach revealed that a cybercriminal, who had access to Starwood’s systems for four years, had managed to access and decrypt data files containing the personal information of over 500 million guests. Affected data included:
- Personal information
- Credit card numbers
- Passport numbers
While the Starwood breach occurred before Marriott acquired the company, Marriott failed to discover the breach during due diligence, and the breach continued for over two years after the acquisition. Since the breach was discovered after the start of enforcement of the European Union’s (EU’s) General Data Privacy Regulation (GDPR), the company was assessed a fine of over $120 million by the Information Commissioner’s Office, the UK government agency in charge of GDPR enforcement. This is in addition to the direct costs of the breach and potential losses in revenue, which could total billions of dollars.
- The Second Breach
The second Marriott data breach was announced at the end of March 2020. This breach affected up to 5.2 million Marriott guests and occurred due to a failure to properly monitor and control access to an application used by the company.
In this second Marriott breach, the cybercriminal behind the attack managed to compromise the user credentials of two employees at a Marriott franchise hotel. These credentials were used to access an application used by the hotel chain to manage guest information. As a result, the hacker was able to access the personal data of 5.2 million guests, including:
- Contact details (name, address, email, and phone number)
- Loyalty account information (account number and points balance)
- Personal details (gender, company, birthday)
- Preferences (language and room preferences)
While not every data value was available for every guest, it still represented a significant breach of sensitive guest information. The organization is likely to suffer penalties under the GDPR and the California Consumer Privacy Act (CCPA) as well as other privacy regulations and lawsuits. However, since payment card data was not exposed, the Payment Card Industry Data Security Standard (PCI DSS) does not apply.
Data Security Takeaways from the Marriott Breaches
The details of the two Marriott breaches are very different. In one breach, a cybercriminal breached a competitor of the company, and the organization inherited the breach and its impacts after failing to discover it during the merger process. In the other, the organization’s own systems were compromised when a cybercriminal stole the user credentials of two employees and used them to access an application containing the personal data of the hotel chain’s guests.
However, at a high level, both breaches are similar and demonstrate the importance of implementing strong data security. These data breaches could have been prevented by implementing simple data security measures:
- Robust Antivirus: The attackers in the first Marriott breach used Mimikatz to steal login credentials. This is a well-known hacking tool that is detected by many antivirus programs.
- Secure Encryption Key Management: In the first data breach, the decryption key for Starwood’s reservation data was stored alongside the data.
- Database Monitoring: While the Starwood breach was eventually discovered by monitoring database access attempts, behavioral analysis of access attempts likely would have discovered it more rapidly.
- Including Cybersecurity in Due Diligence: When performing due diligence before the merger, Marriott did not discover the Starwood breach.
- Multi-factor Authentication: Two compromised passwords made the second Marriott breach possible but implementing MFA could have prevented it.
- Third-party vendor management: The second Marriott breach involved compromised credentials from a franchisee. Monitoring third-party access to internal systems for behavioral abnormalities could have detected the breach more rapidly.
Ensuring Data Security
Companies like Marriott regularly collect massive amounts of data regarding their customers as part of normal business. They are responsible for protecting this data as well, and new data protection regulations like the GDPR and CCPA are designed to ensure that they do so. Marriott suffered multiple data breaches due to a failure to follow simple data security best practices. These failures have cost the company dearly in regulatory penalties and lawsuits, as well as the potential for lost future sales.