Hotel chain Marriott International isn’t having a good week: As The New York Times reported, the company announced that its reservation database for Starwood-branded properties had been hacked. The numbers aren’t great, with initial data suggesting that 500 million guest records have been compromised across records dating back to 2014.
The result? This is a bigger breach than the recent Equifax debacle, catapulting it to the “biggest breaches of all-time list” behind Yahoo’s three billion compromised accounts in 2017. It’s a sobering reminder that even large organizations with substantial security resources still face the specter of data breaches. Still, it also raises an important question: What (if anything) can companies do to limit their risk of becoming the next hacked network newsmaker?
What does the Marriott breach mean for customers? As noted by CNN, personal information, including names, phone numbers, email addresses, passport numbers, dates of birth, and credit card information, may have been compromised. While Marriott has created an informational website, set up a hotline, and is now offering a free one-year subscription to the monitoring service Web Watcher, users potentially affected by the breach are also advised to change all their online passwords, monitor accounts for suspicious activity, and cancel any credit cards currently associated with eCommerce stores.
The company was notified in September about unauthorized access to the Starwood database, which covers 6,700 properties worldwide. In its statement, Marriott says the breach took place on or before September 10th, 2018, during which “an unauthorized party had copied and encrypted information and took steps toward removing it.”
But how did hackers gain access? So far, details about the breach methodology are scarce, but there are several likely candidates, including:
Marriott isn’t the first hotel group to suffer a major data breach; as noted by Hotel Management, something similar happened to the Radisson hotel chain this year, and in 2016, Hyatt Hotels disclosed a payment card breach across more than 250 properties.
Beyond the ire of frustrated customers, what are the impacts of these hospitality breaches on business? Cost is a top factor: According to ZDNet, the company could pay between $2.1 and $3.5 billion even with cyber insurance. As noted by Security Boulevard, the nature and location of data breaches can also have an impact—given Marriott hotels’ global reach, they’ll face differing costs across the United States, Canada, and Western Europe.
Speaking of Europe, it’s almost certain that GDPR will play a role here, meaning Marriott could face fines for its database breach because it contained the personal information of EU citizens. As noted by Tim Erlin, VP of product management and strategy at security firm Tripwire, “There’s a high likelihood that this breach affects residents of the EU and will have GDPR implications for Marriott.”
Companies impacted by data breaches also face the two-pronged problem of reasonable risk. Regulators and courts now recognize that hackers often seek out targets of opportunity—companies that haven’t taken “reasonable” and “appropriate” steps to safeguard systems, applications, and databases. Suppose organizations are found wanting in areas of basic infosec. In that case, they face the dual consequence of material loss stemming from compromised data and market penalties from the perceived perception of liability.
What does this mean for businesses looking to shore up their defenses against a potential data breach? That it’s critical to create an inhospitable environment for attackers.
Start with the basics: Since almost all companies use at least some open source code rather than rewriting from the ground up, make sure all applications and services are properly patched and watch the news for any word about newly discovered, large-scale flaws (looking at you here, Heartbleed and Shellshock). External-facing Apps are another part of the security process; any application connected to a customer database should, at minimum, be tested for security holes and vulnerabilities and have solutions like code obfuscation and application hardening to convince attackers that you’re a target of substantial effort, not opportunity.
Also, a good idea is to benchmark your competitors. Those who are popular with regulators and lawmakers are typically up-front about their security efforts—use them as a guideline rather than reinventing the wheel.
Marriott is the newest breach newsmaker, but it won’t be the last. Hackers recognize the potential profit opportunities of databases filled with consumer information and have no reservations about evaluating email defenses, security patching, and application protection to find network vulnerabilities.
Best bet? Respect the financial and reputational risks and leverage reasonable security precautions to check out potential weak points and prevent hackers from checking in.