The data breach faced by Marriott Internationals is the most recent large scale data breach, which involved its Starwood division hotels. The international hotel acknowledged the reservation systems’ compromises, where customer information included passport numbers and credit cards (Gaglione Jr, 2019). The breach was flagged by an internal security tool, which reported an unauthorized attempt to access the internal guest reservation database for the Starwood brands for Marriott International. It was reported after the forensic process that the reservation system had been comprised early in 2014 before the acquisition by the Hotel brand, Marriott International (Gaglione Jr, 2019). Marriott acquired the Starwood. The reservation system used by the former Starwood hotels did not migrate toward the Marriot’s reservation system and still utilized the former Starwood hotel’s infrastructure.
Before the company acquisition, Starwood IT and Infosecurity were run and monitored by Accenture noticed an unusual database query (Gaglione Jr, 2019). A user made the database query with administrator privileges. However, on quick evaluation, it was noticed that the person assigned to the account did not make the query. Hence someone else had gain control of the account. The investigation conducted found that data was encrypted and removed from the Starwood systems (Gaglione Jr, 2019). More analysis also indicated that the attackers could decrypt the data, which included information on over 500 million guest records. Most of the records were described to have extremely sensitive information like credit card and passport numbers. From the investigation, Remote Access Trojan was used in conjunction with MimiKatz that sniffs out the username and the password combinations in system memory (Dalal, 2019). The two tools are speculated to have given the attackers control of the administrator account.
Starwood and Marriott’s mistakes involved the failure of basic security where there was a lack of in-depth defense, which allowed attackers to stay in the system for years. Marriott was compromised due to its failure to follow an important cybersecurity rule that strengthens security by implementing the principle of assumes the company is compromised and acting accordingly. According to Dalal (2019), several deidentification methods would have been applied by the company, including differential privacy, pseudonymization, tokenization, and data masking.
The company should have ensured proper security assessment every year through a third-party vendor, which requires the company to meet compliance requirements. Proper tests would have uncovered and make an indication for the compromise. In a company acquisition situation, cybersecurity assessment should involve risk and vulnerability assessment, penetration test, and overall security controls assessment for the merging company (Dalal, 2019). Another way would involve the frequent monitoring of cloud access, which must identify those who log into the network and how much data they are moving and accessing. It is from cloud monitoring where suspicious log-in location and large data transfer are identified and stopped. It is critical to encrypt data within the company, but it is more important to store the encryption keys. The encryption keys must be stored correctly. Furthermore, there should be efforts to strike a balance between cybersecurity and business operations. Cybersecurity must be made a priority for local and international businesses as breaches can adversely affect the daily operations.
In conclusion, businesses and companies should focus on performing proper security assessments. Most importantly, proper vetting of databases should be carried out before any merges can be implemented.
Dalal H. (2019, March 20). Marriott could have prevented privacy data breach with Tokenization. Security Boulevard. Retrieved from https://securityboulevard.com/2019/03/marriott-could-have-prevented-privacy-data-breach-with-tokenization/
Gaglione Jr, G. S. (2019). The Equifax Data Breach: An Opportunity to Improve Consumer Protection and Cybersecurity Efforts in America. Buff. L. Rev., 67, 1133.