The Marriott hotel chain could have prevented the massive data breach that compromised the personal details of hundreds of millions of guests had it heeded warning signs and taken previous opportunities to improve its defences, it has been claimed.
Several cyber security experts have suggested that the company should have been able to identify the hackers long before it found the breach, which was said to have been ongoing for around four years and affected around 500 million users, with details including names, email addresses, payment card information and passport information stolen.
Brian Krebson of the KrebsOnSecurity blog said that in the current era, breaches that go undetected for this long should be a thing of the past, but clearly they are not.
He added that the hospitality sector has proven to be especially vulnerable to data breaches, noting such companies have been "notoriously bad" at implementing adequate security protections. For example, he said that one particularly glaring weakness is the continued use of credit and debit card swiping systems, as opposed to chip-enabled readers that encrypt payment information, Travel Weekly reports.
Mr Krebson noted that even the press release announcing the breach was hosted on an unencrypted website, which may suggest basic steps are not being taken.
This incident is not the first data breach Marriott has identified, and experts have questioned why previous investigations did not find the issue. For example, in In 2015, Starwood reported a much smaller breach that involved attackers installing malware on point-of-sale systems in some hotel restaurants and gift shops to gather payment card details.
While Marriott said this incident was unrelated to the current breach, security specialists said a more thorough investigation into the previous intrusion could have uncovered the attackers, who were already embedded in the company's system.
"With all the resources they have, they should have been able to isolate hackers back in 2015," Andrei Barysevich, a researcher with the security company Recorded Future told the Wall Street Journal.