Marriott Hacked Again: 5.2 Million Users Compromised in Latest Data Breach
In November 2018, Marriott suffered a data breach, exposing the data of 500 million users. It was one of the largest data breaches in history.
In January 2020, Marriott suffered a second cybersecurity incident, and while sensitive data was not accessed in this second breach, this highlights the fact that unless significant efforts are undertaken to address vulnerabilities, sensitive user data is always at risk. One flaw in security is all that is needed to expose sensitive data.
How was Marriott hacked?
The incident occurred in a franchise hotel operating under the Marriott name. Login credentials of two employees were used to access guest information, including names, addresses, phone numbers, birth dates, loyalty information, and preferences.
Fortunately, the hackers could not access credit card or financial information, but they had unfettered access to the rest of the users’ data for six weeks. Marriott “does not currently believe that its total costs related to this incident will be significant.”
Once the hack was discovered, Marriot disabled the affected employees’ accounts. Marriott also alerted the customers affected by the hack and has set up a dedicated website and call center to help those customers. The customers have also been offered access to a free personal information monitoring service provided by Marriott.
How could it have been prevented?
While everyone needs a plan for putting out the fires caused by a data breach, it is much better to prevent the hack in the first place.
Security awareness training would have trained managers and employees to use a better password policy. Passwords should be complex enough that they can’t be guessed or changed often, and they should never be written down or sent via email.
A quality threat risk assessment would have given Marriott an analysis of the security flaws in its system and the threats associated with them.
The internet is a harsh environment, and without the best security, sensitive user data is in danger. It can be kept safe with regular security testing.