Marriott Hotel Data Breaches and the Aftermath

The data breach of Marriott Hotels occurred in January 2020. The large Hotel chain did not discover the breach until February 2020. The latest is a second data breach for Marriott and potentially affects 5.2 million guests' information.

What Happened and How?

Hackers obtained logins for two Marriott Hotel employees and breached the network system accessing guess details in January 2020. The information contained names, gender, birthdates, telephone numbers, language preferences, and even loyalty program numbers along with reservation data. 

At the time, a Marriott spokesperson commented, "Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver's license numbers."

They soon added, "Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests."

An Earlier Breach and Big Consequences

In July 2014, Starwood Hotels and Resorts Worldwide was hit by a major data breach affecting 339 million customers. Marriott bought Starwood, but it did not catch the data breach until September 2018. During those four years, hackers made off with customer names, email addresses, mailing addresses, phone numbers, passport numbers, and some credit card information. The incident resulted in a major breach of trust between the hotel and its customers. 

In November 2020, the U.K. Information Commissioner's Office served Marriott Hotels with a steep fine of $24 million over their negligence in keeping customer data safe. It's unclear if they will add to that figure on the heels of this new data breach. Initially, the office had decided on a fine of $128.2 million, but it was reduced before the final ruling.

A London spokesperson claimed that "Although the fact that Marriott got a much lower fine than originally announced may send out a mixed message, this should not deter organizations from taking data security seriously, and organizations should also bear in mind that class-actions for compensation may yet add to the final bill in cases like this one."

The shocking thing about this data breach is hackers installed a web shell on a Marriott server, enabling them to remain connected via remote access and continued to steal information for four years.

Lessons Learned

After an exhaustive investigation, Britain's Information Commissioner's Office has determined some of the leading causes of the Marriott data breach. According to DataBreach Today, "Inadequate monitoring of databases and privileged accounts, incomplete multi-factor authentication and insufficient use of encryption: These are among the catalog of errors cited by British privacy regulators investigating the failures that contributed to the massive data breach involving Marriott's Starwood guest reservation system."

Since the 2014 Marriott’s systems have not been improved, as evidenced by this latest data breach in January of this year. The recently issued 91-page penalty notice includes the following:

* Insufficient monitoring of privileged accounts.

* Insufficient monitoring of databases.

* Poor controls for critical systems.

* Insufficient encryption.

* Reliance on software security protocols rather than personalized management of private data. 

It also noted that "That Marriott did not detect the attack until alerted by Guardium is indicative of Marriott failing regularly to test, assess, and evaluate the effectiveness of its security measures."

The report also detailed some specific factors as:

• Vulnerable web shell and malware tied to Accolade software.
• Memory scraping malware that was used to exfiltrate data.
• IBM Guardian database security software alarms.
• Missing multi-factor authentication to protect cardholder data.
• Insufficient monitoring of privileged accounts.
• Spotty database monitoring.
• Deficient critical systems monitoring and security alerts.
• Incorrectly configured encryption.

The list of violations is long and embarrassing for the hotel chain. However, experts say this is a cautionary tale for other businesses to now step up their game and implement systems that do not land them in the same hot water. 

Recommendations for the Hotel Industry

Threat assessors and security professionals recommend the following security upgrades for hotels and other businesses that collect and store customer data.

1. Develop a security-centric plan for all operations. Start from the ground up and hire security experts to assess your current systems and point out the flaws so you can fix them. 

2. Plan on being breached and implement proactive protections now, don't wait until something catastrophic happens.

3. Invest in security software, practices, and outside resources as a top priority. Don't put a cap on the budget. Think about how much you may have to lose in an incident where you have to reimburse customers or provide remediations.

4. Think of data security as money in the bank. Not only are you preventing dangerous data breaches, but you are also building brand trust, and your customers will appreciate your commitment to security and their privacy.

The bottom line is you cannot be too careful these days if you have anything to lose. Marriott is learning that lesson a bit too late.