Securing business data

News Article

Over 500 million Marriott guests affected by serious breach

by Giulia Foss | 03 Dec 2018

shutterstock_788597752

Last Friday, one of the world’s biggest companies revealed that they had suffered a massive data breach at the hands of attackers. The Marriott announced that of some of their customer’s private details including passport numbers, emails, date of birth, gender and mailing addresses had been breached. In addition to these details, there is also a distinct possibility that credit card information may have been accessed too, however, this has not yet been confirmed:

The Marriott commented that it "has not been able to rule out" that credit card information had been exposed.

Who has been affected and when did this breach take place?

The breach was the result of a hack on the company’s Starwood room reservation network, and although the breach is publicly coming to light now, current analysis suggests the hack may have started as early as 2014.

The sheer scale and length of the attack means that it is wide ranging, with guests globally affected. In London alone the Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly, have all been impacted. With the reach and severity of the attack coming to light, the firm has now informed the UK's Information Commissioner’s Office (ICO) of the breach.

A spokesman for the ICO said: "We have received a data breach report from Marriottt Hotels involving its Starwood Hotels and are making enquiries. We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online."

The length of the attack also raises further questions about what the Marriott knew about the breach, as well as how and why it went on for so long undiscovered or at least unreported.

Which hotels were breached?

The hack affects the follows hotel chains:

  • W Hotels
  • St. Regis
  • Sheraton Hotels & Resorts
  • Westin Hotels & Resorts
  • Element Hotels
  • Aloft Hotels
  • The Luxury Collection
  • Tribute Portfolio
  • Le Méridien Hotels & Resorts
  • Four Points by Sheraton
  • Design Hotels that participate in the Starwood Preferred Guest (SPG) program
  • Starwood branded timeshare properties are also included.

If you have been a guest at any of the above, it is important you take steps to see if you have been affected. Checking the status of your account for any unusual activity is key, as well as changing any passwords.

How could the Marriottt Group have avoided this breach & how can companies at large stay safe?

We don’t know all the details yet, however, with an attack of this magnitude it would suggest a number of things may have gone wrong or have been overlooked.

As threat vectors increase and attacks become ever more pervasive as well as complex, the environment companies now find themselves operating in is a difficult one. Many of the companies we see being attacked have huge amounts of resource both in terms of people and financially and yet they are not immune, in fact they can quite often be more vulnerable with more entry points for attackers to exploit. These take a number of forms, whether that be human vulnerabilities as a result of employees having a lack of understanding in regard to things like phishing, through to gaps in process and then of course vulnerabilities on networks, systems and in software. There are a plethora of things that could present a weakness ready for exploitation.

Keeping abreast of an entire environment means taking a holistic approach over the course of time. Cyber Security Maturity is a pragmatic risk-based approach to security that involves looking over an organisation’s entire estate, taking into consideration all the things that impact their cyber security on a human, compliance and technological level and identifying where the gaps exist. Although effective, this approach is still not one that many companies employ.

For many years organisations have taken a piece meal and point in time approach to their cyber security, patching bits retrospectively and using plasters to cover over things in the short term. The results of this approach are now beginning to come to fruition, with high profile breaches coming to light across the board.

“The reality is, when it comes to cyber security, organisations must continuously make prioritised, actionable cyber security decisions to improve business resilience, at the same time, adapting to emerging business objectives and the changing technology and evolving threat landscape. As a leading UK based cyber security company operating in this industry for over 20 years, we have a real depth of understanding when it comes to situations such as the one Marriott are now embroiled in. The impact on both the company and its clients will be felt deeply and more than likely for a long time.” Shannon Simpson, Cyber Security and Compliance Director at CNS a Six Degrees Company, commented

Simpson went on to say ‘It’s key that companies really look to prevent these attacks happening in the first place, so that they’re not left mopping up the mess they present. Very often we are called in after an event like this, it’s something we’re well versed in fixing, however, what we ideally want is for people to call us in before something like this happens. Again, prevention is always the best approach. This ethos as well as decades of experience led us to develop a system called Aegis in response. Using Aegis we go into an organisation digging down to the very core of their systems, technology and procedures. Enabling us to understand where their vulnerabilities lie in granular detail and prescribing the right course of action, whether that be the implementation of managed security services, new systems and technology, new governance structures or training. The important thing about this approach is it isn’t one off, it’s about continuously understanding our client’s environments and being multiple steps ahead of potential attackers. It’s this kind of system that organisation’s need to start looking at implementing if they want to protect their stakeholders, their brand and of course their share value and profitability”

Although it is early days the impact of this attack is sure to be felt deeply, with its seriousness ranking in line with the Yahoo breach of 2013. Moreover, with the introduction of GDPR there will also be a level of financial culpability that is yet unpredictable, although estimates have put the figure at up to $916 million dollars.

About CNS a Six Degrees Company

As a leading provider of cyber security services, we work across the board protecting organisations from the threats that exist within the cyber landscape. We provide holistic security solutions including compliance, governance, testing and Managed Security Services, enabling us to implement robust security on every level. Our dedicated Security Operations Centre located in a secret UK onshore location provides 24/7/365 threat detection and protection to some of the UK’s most valuable assets, from banks to government facilities.  As a part of Six Degrees we are able to provide not only scale, but holistic solutions for organisations that are going through the process of digital transformation and striving to implement water tight cyber security frameworks.

Visit: www.cnsgroup.co.uk

Learn more about the Aegis cyber security maturity service

For more information on the Aegis service and how we can protect your organisation from breaches now and in the long-term CLICK HERE

call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere