Hospitality Under the Covers: Cancel Your Reservations For The Next Data Breach

By: Todd Fitzgibbon

Data Breach

Marriott announced a data breach in late November that affected some 500 million Starwood customers over the last four years. A large number like that is almost impossible to visualize, so think of it this way: It’s as if everyone in the United States, Canada, and Mexico had their personal data stolen. In other words, it’s a big deal and no one has yet to realize the total impact it will have.

Fortunately, as of now, personal data from the breach—which includes names, date of birth, credit card numbers, email addresses, passport numbers and arrival/departure times—hasn’t shown up for sale on the black market. But that doesn’t mean that we’re in the clear; in fact, far from it. As the New York Times reports, the evidence points to Chinese hackers working for their government’s intelligence and military. The end game is to amass personal data on Americans for a variety of nefarious reasons.

Missed Opportunity: The 2015 Data Breach

The breach started back in 2014. While a four-year-old hack may seem astonishing, the hospitality industry in general is often criticized for less-than-adequate cybersecurity. Many times, digital initiatives that have a “wow” factor are prioritized over the behind-the-scenes, but much more important, improvements in cybersecurity. This will likely be the wakeup call the industry needs.

There’s nothing worse than a Monday-morning quarterback, but there are a few lessons from Marriott’s hack that we should all learn from. Starwood disclosed a breach in 2015 a few days before its acquisition by Marriott was announced. It was a small breach involving point-of-sale systems in some of its restaurants and gift shops. That small blip on the radar should have been the opportunity to catch the bigger problem lurking in their system. 

Looking Back: What Else Is Broken?

If you work in technology, you’re very familiar with regression testing. Before you release something new, you go back to see what you may have broken. Marriott had its own type of forced regression testing at the time of the 2015 breach discovery. They should have been able identify vulnerabilities and potentially caught the 2014 breach at that time. Easier said than done, obviously, with the complexity and size of a system like Marriott’s.

The lesson here is if your organization suffers a breach, it’s important to fix the vulnerability and strengthen yourself for the future, as well as identifying where you may have had holes in earlier iterations of your cybersecurity.

Looking at Your Current State: Where Are We Vulnerable?

Any time you have a breach, it should be a red flag that escalates your vigilance. It’s smart to examine if there are other systems currently in your inventory that could be exposed to a similar type of breach. Think of it like getting a flat tire; it’s a good idea to examine the other three tires for similar wear and tear or signs that another flat is impending.

Where this analogy breaks down is likely the same place that Marriott’s investigation did. If you have another car in the garage, you might not check its tires, too, just because your first car had a problem. Marriott became the 800-lb gorilla in the industry through acquisitions, many with their own systems for protecting the security of their guests’ data. Making them work together is an obvious challenge and just because you had a problem in one place doesn’t mean you’ll catch a different problem somewhere else–and that’s how a security breach sticks around for four years.

Looking Forward: Are We Prepared to Catch the Next One?

A breach is a hurdle in your cybersecurity history that should drive home the importance of understanding interconnectivity and the need for evolution within the scope and process of recurring assessments. You may need to increase the frequency of your assessments, the triggering mechanisms for initiation, their complexity, and/or inclusion or prioritization criteria.  The key to preparing yourself for the future is to ensure your organization self-assesses the processes you have in place to protect your organization.  Evaluate the learnings of the past, incorporate that knowledge into the present, and move forward knowing that you’ll need to re-evaluate again in the future.   Remember that processes, like tires, wear-out the further down the road you get.

At Rsam, we are advocates of having a platform in place to consolidate the view of your security landscape, whether it’s as complex as Marriott’s or considerably smaller, and empower you to adapt and embrace change. A platform automates your responses, improves communication between your teams, and breaks down silos across the organization that sometimes allow breaches to go undetected and fester.


Learn more about Rsam’s Security Operations and Orchestration Solutions