X-Industry

Marriott's Breach

Posted by Jim McKee on October 30, 2024 at 12:00pm

13080627469?profile=RESIZE_400xMarriott's slogan is "We Serve Our World."  This slogan reflects the company's commitment to positively impacting the world, its guests, and the communities it operates in. Marriott International entered a $52 million settlement with the US Federal Trade Commission (FTC) to resolve allegations from a massive data breach that affected millions of guests.  The breach between 2014 and 2018 involved exposing sensitive customer information, including names, passport numbers, credit card details, and reservation information.

The data breach originated in 2014 when hackers infiltrated the Starwood reservation system, which Marriott acquired in 2016. The attackers gained unauthorized access to the system and stole the personal information of approximately 327 million guests. With more than 30 hotel brands, Marriott and its franchises manage more than 7,000 properties in the United States and more in 130 countries. The hotel giant acquired Starwood 2016 for $13 billion, taking over its Westin, W Hotels, and St. Regis properties.

Marriott acknowledged the breach in 2018 after discovering it in September of that year.  The company took immediate steps to contain the damage, including notifying affected customers, freezing compromised accounts, and working with law enforcement to investigate the incident.  "I think this settlement underscores the need for a cybersecurity/forensic review when acquiring a company," said Richard Halm, Sr. Attorney, Clark Hill PLC.  "One of the underrated aspects of these incidents is that the initial compromise of the Starwood reservation system occurred before it was acquired but was ongoing through and after the acquisition.  The FTC's statement specifically says not to forget that along with 'good stuff,' 'you're also buying the problems, like vulnerabilities, misconfigurations, and other security issues that may exist.'"

See:  https://www.redskyalliance.com/financial

The FTC investigated the breach, focusing on Marriott's cybersecurity practices and response to the incident.  The commission accused the hotel chain of making deceptive information security statements on the Marriott and Starwood booking websites by claiming that appropriate safeguards were in place to protect personal information.  In statements, the FTC said it found those statements to be "false or misleading" as the "Respondents did not use appropriate safeguards to protect consumers' personal information.  The acts and practices of Respondents, as alleged in this Complaint, constitute unfair or deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act."  As part of the settlement, Marriott agreed to pay the FTC the $52 million civil penalty.  Additionally, the company committed to implementing a comprehensive cybersecurity program to prevent future breaches.

The Marriott data breach serves as a reminder of the importance of robust cybersecurity measures, as even significant, well-established companies can be vulnerable to cyberattacks.  Customer data is one of the most critical factors of customer experience.  As such, a first-class brand like Marriot and other significant brands should take the necessary means and precautions to minimize the risk of the data being leaked.  Personal data today can be used to target voting decisions and can even be weaponized for nation-state acts by targeting individuals according to their data.  Cyber threat investigators would also add regular threat-hunting activities for this breach over four years.  If a breach has already happened, the company should know about it ASAP, which could minimize the impact of the data size that was already exposed.

Critical takeaways for businesses:

  • Proactive Security: Invest in solid cybersecurity measures to prevent breaches and protect customer data.
  • Regular Monitoring: Conduct security audits and vulnerability assessments to identify and address potential weaknesses.
  • Incident Response Planning: Develop a comprehensive incident response plan to respond to breaches and minimize damage effectively.
  • Transparency and Communication: Be transparent with customers in case of a breach and communicate promptly to mitigate harm.

"Mergers and acquisitions can have adverse impacts on acquiring companies if they are unaware of the unmitigated risks in the systems they are acquiring," said Piyush Pandey, CEO at Pathlock.  "For this reason, it is critical to have an identity governance and administration system that identifies access and separation of duties risks while, at the same time, continuously monitoring for actual violations of business process rules and IT general controls.  This approach could have dramatically reduced the dwell time the attackers had to exfiltrate data."  

The Bethesda, Maryland-based franchise also faces a class action lawsuit related to the 2020 data breach in the United Kingdom.  The FTC settlement could pave the way for more regulatory actions in other jurisdictions since the data breaches affected international guests.

Further, the settlement absolves the hotel chain of responsibility for failing to stop the data breaches.  "Marriott makes no admission of liability concerning the underlying allegations," the franchise responded.  "The Marriott settlement draws a line in the sand for what constitutes 'reasonable data security standard that will likely be used as a test in future litigation and regulatory actions," said Claude Mandy, Chief Evangelist, Data Security, at Symmetry Systems.  "The settlement underscores the fundamental data security practices that organizations must prioritize, reducing access, conducting comprehensive asset inventories of their data, logging and monitoring of file and user movement, implementing multi-factor authentication (MFA), and minimizing and disposing of data.  These are precisely the issues that Data Security Posture Management (DSPM) tools help organizations tackle."

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefing
https://register.gotowebinar.com/register/5378972949933166424

Views: 644
Tags: tr-24-302-003, $52 million settlement to ftc, mergers & acquisitions
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!