MARRIOTT DATA

BREACH
Abstract
Marriott International is a hospitality firm based in Bethesda, Maryland, that was formed in
1927. It is the world's largest hotel network, with 30 brands spread over 131 countries. Marriott
International is well-known for its opulent hotels and affluent clientele. Marriott International
stated on November 30, 2018, that an "unauthorized party" has acquired access to the personal
information of 500 million Starwood customers, adding to an ever-growing list of huge data
breaches that appear to be occurring more often.

Statement of the Problem: How did it happen?

Marriott reported that they got a warning from an internal security tool sometime in early
September 2018, suggesting that an unknown entity attempted to access the Starwood guest
reservation database. This triggered an internal investigation, which discovered that the
Starwood network had been infiltrated sometime in 2014 — back when Starwood was a distinct
corporation. It was also then discovered that this entity had duplicated and encrypted client
information before attempting to remove it from the Starwood database. Passwords, email
addresses, departure and arrival dates, and passport information were among the information
exposed, according to Marriott. While Marriott claims to be investigating how the breach
occurred, the question on everyone's mind is why it was just discovered now, when it's clear that
it started over four years ago. Marriott should have been able to identify and isolate the intrusion
risk in 2014, given the vast resources at its disposal. Unfortunately, it was also about this time
that Marriott announced its acquisition of Starwood Hotels and Resorts Worldwide, and this is
where the problem began.

How was the Issue Addressed?

Marriott has been fined for the data breach in July 2019. The firm was dealt a
considerably more serious setback. For abusing British individuals' privacy rights under the
GDPR, the UK's Information Commissioner's Office (ICO) was fined £99 million, or more than
$120 million. The ICO highlighted Marriott's inability to do due diligence on Starwood's IT
infrastructure as the reason for Marriott's punishment for Starwood's errors. The hefty penalties
might be only the beginning, as other governments may seek to penalize the business for its
transgressions. Also, Marriott has not gone out of its way to reimburse any of its customers
whose data was taken, maybe because there appears to be no imminent concern of the stolen data
being used for fraud. According to the New York Times, a Marriott spokesman said the firm
would reimburse the cost of replacing a passport with a new number or credit card costs "if theft
has occurred." Marriott also said it will be offering free personal information monitoring services
to those affected through Identity Works for one year.

Recommendation

For those who are affected by the data breach, it is recommended to change any Marriott
accounts or bookings, as well as any bank or credit card accounts used to make reservations, with
new passwords. Passwords should be changed on a frequent basis. Also, you may want to
consider creating and using different email addresses for non-essential purposes, such as
traveling or shopping. This is to isolate and protect your information from unnecessary exposure.
For Marriott and Starwood, they must tighten or invest more on securing their customer’s
information. They must make sure that this will only be used for its intended purpose. Through
this experience, they should focus on ensuring that the data provided by their consumers are
stored in a safe place that will be difficult for hackers to track. It is their responsible to take care
of their customers’ information since it has been entrusted to them. If this happens again, they
might lose the trust of their customers.

Conclusion

Hundreds of millions of people's passport and credit card data were taken in the Marriott
hack, which may have terrible personal consequences. The credit card number aspects are
particularly concerning and were made possible by yet another Marriott security flaw: while
credit card numbers were saved in encrypted form, the encryption keys were also stored on the
same computer and were presumably taken in the hack. Basic security flaws were found in both
Starwood and Marriott, including a lack of defense in depth that allowed attackers to remain in
the system for years after a compromise, and a failure to keep encrypted data and the keys used
to encrypt it separate. Marriott broke the most essential cybersecurity rule: presume you've been
hacked and respond appropriately.