6 Security Lessons Learned from Marriott’s Massive Data Breach

Last week, buried predictably on a Friday, Marriott revealed it – and, by extension, its guests, had been the victim of a truly massive data breach. All told, the hospitality giant believes attackers gained access to data on some 500 million guests who stayed at its Starwood properties over the past four years. For roughly 327 million of those guests, the data may include name, address, birthday, and even passport number. If that wasn’t enough bad news, Marriot representatives couldn’t fully guarantee that payment card data survived the intrusion untouched.

Multibillion dollar lawsuits have already begun piling up in response to the breach. Additionally, the company has promised to cover the costs incurred by those in need of a replacement passport. There’s also a $900 million fine potentially on the horizon thanks to Europe’s GDPR law.

As Marriott, regulators, and customers all seek to nail down what comes next, let’s take a look at what went wrong before (and after) the data breach and how that led us to this point.

6 takeaways from Marriott’s data breach

Lesson #1: Hunt for red flags. It used to be enough to watch for red flags, but not anymore. Assuming data is safe until it is demonstrated otherwise enables these year-plus breaches to continue happening. Instead, organizations must take a proactive approach when it comes to monitoring their network for malicious activity. They should invest in a security information and event management (SIEM) solution and tie as much of their IT environment as they can to it. From there, Tom Clerici, Arraya’s Cyber Security Director, suggests taking the time to “set the logging correctly on devices and create alerts for suspicious activity. Follow all this up with weekly meetings to review activity for anomalies.”

Lesson #2: Don’t get fooled again (and again). Cyber security incidents happen, but that doesn’t mean they should happen over and over again. However, Starwood has a rather long and sordid cyber security track record. Just days after its acquisition by Marriott in 2015, Starwood disclosed a year-plus data breach. Security researchers who’ve dug deeper into Starwood’s history claim to have found unpatched website vulnerabilities, easily-guessed passwords, and more. Not every organization is lucky enough to survive a serious cyber security incident. Those who do, must elevate their game so as to not tempt fate.

Lesson #3: There’s still a place for traditional security measures. After a public data breach, observers and victims alike often make a big deal about the latest tools. And these cutting edge solutions absolutely have a place on any network. After all, traditional tools like firewalls can’t stand up to advanced, file-less attacks. More modern tools like next-generation antivirus (NGAV) can. Those traditional methods still have a role to play, however. The idea should be to build a security environment that is both forward-looking and grounded in the here and now.

Lesson #4: Good cyber security isn’t just about the tools. It may sound hokey, but cyber security is all about the people. Organizations need to spend time training employees on cyber security fundamentals – and putting policies and governance in place to support those efforts. It’s not solely up to a security analyst to spot phishing emails or to know to avoid plugging strange USB devices into their computers. These lessons and more should go out to the entire team, making it clear that keeping the business safe is everyone’s responsibility.

Lesson #5: Don’t make things worse. A data breach is bad enough on its own without the response inadvertently making things worse. Last year, Equifax bungled the response to its own catastrophic data breach by setting up an incident response site separate from its normal web domain. This confused everyone from victims to the company’s own social media team. The latter even tweeted out the wrong link, which could have put even more people at risk. Marriott, it would seem, has not learned from Equifax’s own failings. In response to this breach, the hotel giant sent out an email, also removed from its typical domain, alerting customers of the incident. The message was deemed “easily spoofable,” by TechCrunch and lacked all the things one would look for in a legitimate message. In short, the message itself was a security incident waiting to happen.

Lesson #6: Incidents lead to regulation … or at least calls for it. The dust hasn’t even fully settled on the Marriott/Starwood data breach, but the drumbeat for repercussions has already started on Capitol Hill. For example: the idea that Marriott foot the bill for replacing affected passports apparently originated from Senate Minority Leader Chuck Schumer (D-NY). Meanwhile, Sen. Edward Markley (D-MA) called the breach a “black cloud hanging over the United States’ bright economic future.” It’s up in the air as to whether this government unrest translates into meaningful action, yet, the prospect will likely loom large on the horizon for some time to come.

Next Steps: Put these cyber security lessons to work

A knowledgeable and experienced CISO can easily address and streamline all of the above points. This expertise can be difficult and expensive to find and retain. That’s where Arraya Solutions can step in. Through our vCISO service, we partner with organizations of all specialties to put the tools and resources in place to keep data safe.

Get the conversation started with Arraya’s Cyber Security experts today by visiting https://www.arrayasolutions.com//contact-us/.

Also: We want to hear from you! Leave us a comment on this or any of our blogs through social media. We can be found on LinkedIn, Twitter, and Facebook. Once you’ve shared your take, follow us to stay updated on our industry insights and learning opportunities.