Cybersecurity in the Hotel Industry: Lessons from Marriott Data Breach

Last November, it was revealed that the private information of around 500 million guests at the Marriott International had been leaked. The exposed data include names, addresses, phone numbers, passport numbers, and emails. The hack was traced to the room reservation network of the hotel chain’s Starwood branch. It was discovered that there was unauthorized access to the database since 2014.

The hospitality industry is a common target for cyber criminals because of the massive amount of data hotels hold. PwC’s Hotels Outlook Report 2018 – 2022 showed that the hospitality industry has the second highest number of data breaches. It just proves that hotel brands are still lacking when it comes to security in the digital space.

In light of these incidents, what lessons can be learned from Marriott’s breach and from cybersecurity for the hospitality business in general?

Data security should be part of business negotiations

Marriott International acquired the Starwood hotel chain for $13.6 billion (£10.5 billion) in September 2016. Starwood’s customer data was the main reason for the acquisition, with the CEO of Marriott even mentioning Starwood’s loyalty programme. But since the hack dates back to 2014, the hotel giant unknowingly also acquired an ongoing data breach.

A valuable lesson here is that businesses should always scrutinize the cybersecurity and data handling of other companies before they enter into any type of deal. Even though the hack happened before the acquisition, it’s still Marriott’s reputation that is compromised.

The same principle should be applied when a company acquires new infrastructure, applications, and systems. While these seem like assets, they should also be treated as potential liabilities especially where data security is concerned. It’s important to note that tech innovations emerge frequently and that encryption and security for these new developments should be studied closely.

In Ayima’s report on new tech for November 2018, they highlighted Facebook’s new video calling product called Portal, which boasts a smart camera that tracks and follows people’s movement around the room. Video chat is currently being explored in the hospitality industry, with airports installing kiosks with interactive screens for two-way communication. If a hotel were to partner with Facebook, it would need to analyse the data security protocols that Facebook has in place. However, given Facebook’s own Cambridge Analytica scandal, a hotel company would be better off adding its own layer of cyber security as a precaution.

Proper data storage is important

What is more troubling about Marriott’s data breach is the fact that the company cannot confirm whether or not the encryption keys used to protect credit card numbers have also been compromised. When an enterprise doesn’t have constant visibility on the location of the keys that protect machine identities, it would not know where the system’s vulnerabilities lie.

This mishap could have been avoided if the hotel company ensured that payment or credit card information was stored separately instead of alongside non-payment data. This mistake makes the job easier for cyber criminals, as they only need to exploit one vulnerability in order to obtain important data.

Security audits should take place regularly

All businesses should do an audit to detect any unusual activity. It also helps prevent cyber attacks from happening in the first place, as it ensures a safe digital environment and the integrity of the data. Following the acquisition, it took two years for Marriott to realize the data breach.

It’s easier said than done, especially for enterprises that have multiple cloud environments. In order to ease the auditing process, companies would have to find a way to identify newly added assets and establish a system that would ensure each new asset’s visibility in the cloud.

 

Prepared by: JBridges for opendatasecurity.io