Welcome to the Marriott, where you can check out but never really leave

Old news: On November 30^th, Marriott disclosed a breach that compromised about 500m data records of Starwood Hotels customers. The breach was first detected in September, with the full scope not realized until two and a half months later. Turns out that the hotel guest database was actually initially breached in 2014 before Marriott acquired Starwood in 2016.

Over 65% of the data contained full PII (names, addresses, contact info, date of birth, gender, passport number, arrival and departure info), with an undisclosed number also containing payment card data. Marriott and Starwood allowed a lot of personal data to be stolen, and with the new GDPR laws in effect, Marriott could be facing a large fine.

What we care about is – what actions could Marriott have taken to mitigate the breach and its effects on their organization? Turns out that the hotel chain does not fall short on at least two severe oversights and misconducts.

Issue 1: Lack of Acquisition Due Diligence  

As mentioned above, hackers breached Starwood back in 2014 so clearly Marriott, failed to properly assess the cybersecurity posture of Starwood during the acquisition due diligence process. Marriott’s management could have been alerted to the breach before finalizing the acquisition in 2016.

The stolen data is comprehensive and could include high profile travelers and groups like diplomats, business people, and intelligence officials. “With that amount of stolen data, if they have a complete set of personal ID information and they have combined it with payment card [details], it has great resale value on the underground economy,” comments Jason Hill, lead researcher at CyberInt as reported in the Financial Times.

Issue 2: Post-breach Incident Response

Sound cyber risk management hinges on developing a plan for post-incident response. No cybersecurity posture is infallible and having a plan can mitigate disaster. The following five steps are best practice for incident response to a breach.

1. Assess damage and evaluate losses
2. Isolate the network
3. Determine the source
4. Report the breach to decision makers and affected parties
5. Learn from the breach

As a (significant) side note: Europe’s new GDPR laws may come into play in this case as Marriott admits, they learned of the Starwood database breach in September but didn’t inform the public until November 30. GDPR requires companies to notify regulators within 72 hours of finding a breach, with potential fines for failing to do so of up to 4% of global revenue. A stronger cyber risk management framework may have helped Marriott better comply with the new EU laws as well as promote a stronger cyber posture that could have revealed the breach much sooner.

Where Does This Leave Us?

For the attackers to remain unnoticed in the hotel’s database for years demonstrates they have a decent level of sophistication. However, if Marriott had conducted a professional cybersecurity due diligence process during Starwood’s acquisition, the breach would have been exposed in 2016.

A strong cyber risk management process in place would have helped Marriott to identify the breach during the acquisition phase. However, the subsequent events could have also been mitigated with a well defined internal and external posture assessment process.

You can start by checking your organization’s cyberscore for free here. The Attack Surface report highlights your company’s cyber-security vulnerabilities that may be exploitable by malicious adversaries.