Hacked Hospitality: Marriott Data Breach Puts 500 Million Guests at Risk

Hotel chain Marriott International isn’t having a good week: As reported by The New York Times, the company announced that its reservation database for Starwood-branded properties had been hacked. The numbers aren’t great, with initial data suggesting that 500 million guest records have been compromised across records dating back to 2014.

The result? This is a bigger breach than the recent Equifax debacle, catapulting it to spot on the “biggest breaches of all-time list” behind Yahoo’s three billion compromised accounts in 2017. It’s a sobering reminder that even large organizations with substantial security resources still face the specter of data breaches, but also raises an important question: What (if anything) can companies do to limit their risk of becoming the next hacked-network newsmaker?

Have Data, Will Travel: What Customers Need to Know

What does the Marriott breach mean for customers? As noted by CNN, personal information including names, phone numbers, email addresses, passport numbers, dates of birth and credit card information may have been compromised. While Marriott has created an informational website, set up a hotline and is now offering a free one-year subscription to monitoring service Web Watcher, users potentially affected by the breach are also advised to change all their online passwords, monitor accounts for suspicious activity and cancel any credit cards currently associated with eCommerce stores. 

No Reservations? No Problem

The company was notified in September about unauthorized access of the Starwood database, which covers 6700 properties worldwide. In their statement, Marriott says the breach took place on or before September 10th, 2018 during which “an unauthorized party had copied and encrypted information, and took steps toward removing it.”

But how did hackers gain access? So far, details about the breach methodology are scarce, but there are several likely candidates including:

  • Phishing attacks — Fake emails with urgent messages and malicious links remain a go-to options for attackers because they still work — in many cases, well-written emails that redirect to seemingly-legitimate websites are enough to steal user credentials.
  • Open source issues — Many database management tools rely on open source code; solutions like Adminer, DBComparer and Firebird are free to use, but are also accessible to cybercriminals looking to reverse-engineer attack vectors.
  • Application vulnerabilities — Using reservation making or loyalty program applications connected to the main database, it may have been possible for hackers to gain privileged access, especially if these apps didn’t include runtime protection or application debugging prevention.

Reputation, Regulation and Reasonable Risk

Marriott isn’t the first hotel group to suffer a major data breach; as noted by Hotel Management, something similar happened to the Radisson hotel chain this year, and in 2016 Hyatt Hotels disclosed a payment card breach across more than 250 properties.

Beyond the ire of frustrated customers, however, what are the impacts of these hospitality breaches for business? Cost is a top factor: According to ZDNet, even with cyberinsurance the company could end up paying out between $2.1 and $3.5 billion dollars. And as noted by Security Boulevard, the nature and location of data breaches can also have an impact — given the global reach of Marriott hotels, they’ll face differing costs across the United States, Canada and Western Europe.

Speaking of Europe, it’s almost certain that GDPR will play a role here, meaning Marriott could face fines for its database breach because it contained the personal information of EU citizens. As noted by Tim Erlin, VP of product management and strategy at security firm Tripwire, “there’s a high likelihood that this breach affects residents of the EU, and will have GDPR implications for Marriott.”

Companies impacted by data breaches also face the two-pronged problem of reasonable risk. Regulators and courts now recognize that hackers often seek out targets of opportunity — companies that haven’t taken “reasonable” and “appropriate” steps to safeguard systems, applications and databases. If organizations are found wanting in areas of basic infosec, they face the dual consequence of material loss stemming from compromised data and market penalties from the perceived perception of liability.

Inhospitable Environment

What does this mean for businesses looking to shore up their defenses against a potential data breach? That it’s critical to create an inhospitable environment for attackers. 

Start with the basics: Since almost all companies use at least some open source code rather than rewriting from the ground up, make sure all applications and services are properly patched and watch the news for any word about newly-discovered, large-scale flaws (looking at you here, Heartbleed and Shellshock). External facing Apps are another part of the security process; any application connected to a customer database should at minimum be tested for security holes and vulnerabilities and have solutions like code obfuscation and application hardening to convince attackers that you’re a target of substantial effort, not opportunity. 

Also a good idea? Benchmark your competitors. Those in favor with regulators and law makers are typically up-front about their security efforts — use them as a guideline rather than reinventing the wheel.

Universal Lesson

Marriott is the newest breach newsmaker, but they won’t be the last. Hackers recognize the potential profit opportunities of databases filled with consumer information, and have no reservations about evaluating email defenses, security patching and application protection to find network vulnerabilities.

Best bet? Respect the risks — both financial and reputational — and leverage reasonable security precautions to check out potential weak points and prevent hackers from checking in. 

  1. https://www.nytimes.com/2018/11/30/business/marriott-data-breach.html
  2. https://www.hotelmanagement.net/tech/radisson-loyalty-program-suffers-data-breach
  3. https://www.cnn.com/2018/11/30/tech/marriott-breach-what-to-do/index.html
  4. https://www.zdnet.com/article/marriott-faces-massive-data-breach-expenses-even-with-cybersecurity-insurance/
  5. https://securityboulevard.com/2018/11/consider-these-factors-when-calculating-the-cost-of-a-data-breach/
  6. https://www.preemptive.com/application-hardening