While Marriott International’s massive data breach last year hurt the company, the incident offered lessons for other companies that want to avoid the same fate. At the time, the breach was one of the largest to date, affecting up to 327 million hotel guests who made a reservation at a Starwood property as far back as 2014.
Starwood properties, which Marriott purchased in 2016, include Sheraton, Westin, W and St. Regis hotels. Marriott should have done a cybersecurity assessment before acquiring Starwood, looking for potential security gaps and checking the feasibility of combining cybersecurity practices of the two organizations. We’ve learned if you acquire a company, you also acquire their security risks.
Organizations in the travel industry should take note of Marriott’s data breach. The cybercriminals responsible for the breach may have wanted to steal identities and run phishing scams, but it could be worse. Names, addresses, card numbers, passport information, and travel dates are valuable information for foreign nations who want to track spies, diplomats, and military personnel movements. Travel brands should learn all data, no matter how innocuous it appears, must be protected with encryption. Marriott stored information of European citizens. Europe’s General Data Protection Regulation law allows for massive fines for companies which store certain data elements unlawfully.
One of the most important thing we’ve learned from the Marriott data breach is that business databases need encryption in memory and in use, not just at rest. Application-based encryption would have thwarted the Remote Access Trojan and protected the Starwood guest reservation database. Marriott assumed everything was fine. Smart companies should not wait for a red flag to take action. There should be weekly checks for suspicious activity.
Finally, Marriott should have found a better way to contact affected customers. We’ve learned not to send emails from third-party vendors. The email didn’t appear to be from Marriott and people who had heard of the breach thought it was a phishing scam. Marriott should have included a link to their own website, not one they set up to provide information about the breach. This is an open invitation for cybercriminals to create spoof emails and spoof websites. Hopefully, other companies will learn from Marriott’s many mistakes.