What does the Massive Marriott Data Breach mean for Data Security?

The Marriott hotel group recently reported a huge data breach, which they claim has been ongoing since 2014.

The company identified the breach after an internal security tool alerted them to an unauthorised access attempt. After investigating the breach, they discovered that an unknown agent had copied and encrypted information in one of their databases of guest information.

The Starwood group of hotels, which includes St Regis, Sheraton and Westin, was bought by Marriott International in 2015, making it the world’s largest hotel chain.

Their vast customer base seems to have been an attraction for hackers, who are believed to have accessed and copied 500 million records. 327 million of those records include names, phone numbers, email addresses, passport numbers and dates of birth.

This makes the Marriott breach the second largest in history, though it lags far behind the Yahoo breach which affected 3 billion users.

How did hackers breach Marriott security?

The New York Times reports that a US government investigation into the breach indicates that Chinese state hackers were responsible, though no details have been released regarding the tactics used.

Are you affected by the Marriott Starwood data breach?

If you have stayed at any of the Starwood group hotels, you are advised to change your passwords and understand that your data (name, payment details, address, phone numbers etc.) could be passed on to cybercriminals.

This kind of customer data is frequently used to facilitate fraud. For example, a fraudster might use the information they have to pretend to represent your bank, or your mobile phone provider, so that you hand over access codes, payment information – or simply validate the information they already have.

How can companies prevent customer data breaches?

When even the largest companies in the world – and the most tech savvy – seem incapable of protecting customer data, what can smaller companies and SMEs do to fight back against the constant threats from hackers?

Keep up. As quickly as companies deploy new security standards, hackers are working on a way to crack it. Just as companies ditch insecure technologies, hackers are engineering a back-door to the new solutions. And just as companies teach their employees about popular social engineering techniques, hackers are already moving on to new tactics.

It’s very difficult for large organisations, with their policies, teams and ways of doing business, to outfox cyber criminals who work alone (or in small groups), share information freely and have no compulsion to follow any rule or law.

In spite of this, it’s important that companies try to stay up to date with changing threats.

Prioritise security. One theory about the Marriott hack is that senior executives did not prioritise data security during the acquisition of the Starwood group, leading to weaknesses in the databases or connections between systems, which may have been exploited by hackers.

Data security should be a C-level issue. Security should be driven from the very top, and prioritised in all activities.

Test. When was the last time you tested your network and systems to ensure they can’t be accessed by third parties? Penetration testing might help you identify weaknesses in your security and prioritise fixes.

Raise awareness.As we’ve discussed on this blog before, digital security is a company-wide issue, and every employee is a gatekeeper to your customer data, networks, systems and intellectual property. Employees often provide the gateway for hackers, either deliberately or accidentally, so it makes sense to invest in employee training.

Is your company vulnerable to data breaches?

VinciWorks provides a suite of eLearning solutions, including courses on data protection, cyber security and GDPR. You can either choose our solutions as off-the-shelf courses, or you can adapt them to suit your organisation’s needs with our Adapt authoring tool (or we can manage this for you).

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.