Marriott ‘missed warning signs’ before massive data breach
The Marriott hotel chain could have prevented the massive data breach that compromised the personal details of hundreds of millions of guests had it heeded warning signs and taken previous opportunities to improve its defences, it has been claimed.
Several cyber security experts have suggested that the company should have been able to identify the hackers long before it found the breach, which was said to have been ongoing for around four years and affected around 500 million users, with details including names, email addresses, payment card information and passport information stolen.
Brian Krebson of the KrebsOnSecurity blog said that in the current era, breaches that go undetected for this long should be a thing of the past, but clearly they are not.
He added that the hospitality sector has proven to be especially vulnerable to data breaches, noting such companies have been "notoriously bad" at implementing adequate security protections. For example, he said that one particularly glaring weakness is the continued use of credit and debit card swiping systems, as opposed to chip-enabled readers that encrypt payment information, Travel Weekly reports.
Mr Krebson noted that even the press release announcing the breach was hosted on an unencrypted website, which may suggest basic steps are not being taken.
This incident is not the first data breach Marriott has identified, and experts have questioned why previous investigations did not find the issue. For example, in In 2015, Starwood reported a much smaller breach that involved attackers installing malware on point-of-sale systems in some hotel restaurants and gift shops to gather payment card details.
While Marriott said this incident was unrelated to the current breach, security specialists said a more thorough investigation into the previous intrusion could have uncovered the attackers, who were already embedded in the company's system.
"With all the resources they have, they should have been able to isolate hackers back in 2015," Andrei Barysevich, a researcher with the security company Recorded Future told the Wall Street Journal.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.