Marriott Data Breach: Impact and Prevention
VerifiedAdded on 2023/01/10
|6
|1591
|48
AI Summary
This article provides information about the Marriott data breach in 2018, including the target of the breach, the type and volume of data taken, risks to those affected, the timeliness and adequacy of the response, liability of the target, other damages incurred, and ways to avoid similar incidents in the future. The breach affected up to 500 million customer records and included sensitive information such as credit card and passport numbers.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Law of internet
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
TABLE OF CONTENTS
Marriott data breach.........................................................................................................................3
Target of the breach....................................................................................................................3
Perpetrator...................................................................................................................................3
Type and volume of data taken...................................................................................................4
Risks to those whose data was compromised.............................................................................4
Timeliness and adequacy of the response...................................................................................4
Liability of the target to the victims............................................................................................4
Other damage to the target and individuals.................................................................................4
Any way to avoid similar future incidents..................................................................................5
Marriott data breach.........................................................................................................................3
Target of the breach....................................................................................................................3
Perpetrator...................................................................................................................................3
Type and volume of data taken...................................................................................................4
Risks to those whose data was compromised.............................................................................4
Timeliness and adequacy of the response...................................................................................4
Liability of the target to the victims............................................................................................4
Other damage to the target and individuals.................................................................................4
Any way to avoid similar future incidents..................................................................................5
Marriott data breach
In the year 2018, the Marriott hotel chain announced that its one of the reservation system
has been hacked and hundreds of millions of the details of its customers records which includes
credit card details, passport number and other important information has been exfiltered by the
attackers. The below points provides the complete information about this cyber attack.
Target of the breach
The attackers had encrypted and attempted and is also being successful in removing the
data from its Starwood systems. In November, the hotel managed to decrypt the data and
identified that the information included from up to 500 million customers records. The breach
includes reservation base for Marriott's Starwood brands, which involves the Westin, Sheraton,
St. Regis, and W hotels.
Perpetrator
The mass theft is mainly associated with the cybercriminals with the aim of performing
identity theft or use the stolen credit cards numbers. The information is not confirmed by as per
the information stated in the New York Times and Washington Post, the US government has
pointed at the hackers employed by the Chinese intelligence services (Wang, 2020). Also, the
attackers have used cloud hosting space which is majorly used by the Chinese hackers. Another
aspect that point that the breach was a government attack instead of just cybercriminals as none
of these valuable data has been put on sale on the dark web. Through investigation, it was
discovered that a Remote access Trojan known as RAT has been used along with MimiKatz
which is a tool used for getting the username and password both together in a system memory.
These two tools in combination have given the attackers control over the administrator account
but its is not clear how RAT has been placed into the Starwood server however, such trojans can
be even downloaded from the phishing emails and it is considered to be the reason or a guess that
might have been the case in this.
The government sources speculates it is the part of Chinese effort to gather the massive
amount of data on American government employees and other officers. Since, Marriott is the top
hotel chain in US and service provider for government and military. The data stole in respect to
the credit card numbers could be for the purpose of tracking the movements across the world.
The biggest goal could have been that creating a pool of information on US government officials
and employees so that big data techniques can be used on it to analyse it.
In the year 2018, the Marriott hotel chain announced that its one of the reservation system
has been hacked and hundreds of millions of the details of its customers records which includes
credit card details, passport number and other important information has been exfiltered by the
attackers. The below points provides the complete information about this cyber attack.
Target of the breach
The attackers had encrypted and attempted and is also being successful in removing the
data from its Starwood systems. In November, the hotel managed to decrypt the data and
identified that the information included from up to 500 million customers records. The breach
includes reservation base for Marriott's Starwood brands, which involves the Westin, Sheraton,
St. Regis, and W hotels.
Perpetrator
The mass theft is mainly associated with the cybercriminals with the aim of performing
identity theft or use the stolen credit cards numbers. The information is not confirmed by as per
the information stated in the New York Times and Washington Post, the US government has
pointed at the hackers employed by the Chinese intelligence services (Wang, 2020). Also, the
attackers have used cloud hosting space which is majorly used by the Chinese hackers. Another
aspect that point that the breach was a government attack instead of just cybercriminals as none
of these valuable data has been put on sale on the dark web. Through investigation, it was
discovered that a Remote access Trojan known as RAT has been used along with MimiKatz
which is a tool used for getting the username and password both together in a system memory.
These two tools in combination have given the attackers control over the administrator account
but its is not clear how RAT has been placed into the Starwood server however, such trojans can
be even downloaded from the phishing emails and it is considered to be the reason or a guess that
might have been the case in this.
The government sources speculates it is the part of Chinese effort to gather the massive
amount of data on American government employees and other officers. Since, Marriott is the top
hotel chain in US and service provider for government and military. The data stole in respect to
the credit card numbers could be for the purpose of tracking the movements across the world.
The biggest goal could have been that creating a pool of information on US government officials
and employees so that big data techniques can be used on it to analyse it.
Type and volume of data taken
Based on the investigation, it was found that the attackers has tried to access the data of
its guest which are up to 500 million which also includes some duplicate records or multiple
records of the same guest (Ayaburi, Andoh-Baidoo and Lee, 2020). The type of data taken by the
attackers includes certain basic information along with sensitive information such as credit card
and passport numbers which can be used for the purpose of fraud.
Risks to those whose data was compromised
The Marriott data breach was catastrophic as hundreds of millions of guests data has been
compromised which includes their passport number and the credit card numbers which could
have a very dangerous impact over each of the individuals. But the data breach actually does not
seem to have had the damaging impact over the customers of Marriott as expected. Otherwise, it
would have caused withdrawal of the money from the customers account which might result into
incurring losses for the customers.
Timeliness and adequacy of the response
As per the report, it has been seen that there is no immediate threat with respect to the
data stolen has been used for the fraud purpose and based on it, Marriott has not taken any major
initiative for compensating its customers whose data has been compromised. But has assured that
if anything happens it will provide relevant damages.
Liability of the target to the victims
It is the liability of the Marriott to provide damages to the victims in case of any fraud
and inappropriate usage of the same happens. According to the New York Times, the
spokesperson of Marriott has told that the company would be paying for the replacement cost for
the issuance of new passport with new number and will also cover the expenses of credit card in
case the fraud takes place. Also, the potential damage to the personal information is being stored
with the Chinese intelligence as per the information gathered.
Other damage to the target and individuals
As per the report in March 2019, the Marriott has incurred $28 million in expenses in
relation to breach which has only lowered the company's bottom line by just $3 million. But, by
may, Marriott has cut down its losses to just $1 million. This is because of the cyber insurance
taken by the company for covering the initial cost that have incurred initially in association with
the crisis. Apart from this, there are other damages which is being caused to company. It has
Based on the investigation, it was found that the attackers has tried to access the data of
its guest which are up to 500 million which also includes some duplicate records or multiple
records of the same guest (Ayaburi, Andoh-Baidoo and Lee, 2020). The type of data taken by the
attackers includes certain basic information along with sensitive information such as credit card
and passport numbers which can be used for the purpose of fraud.
Risks to those whose data was compromised
The Marriott data breach was catastrophic as hundreds of millions of guests data has been
compromised which includes their passport number and the credit card numbers which could
have a very dangerous impact over each of the individuals. But the data breach actually does not
seem to have had the damaging impact over the customers of Marriott as expected. Otherwise, it
would have caused withdrawal of the money from the customers account which might result into
incurring losses for the customers.
Timeliness and adequacy of the response
As per the report, it has been seen that there is no immediate threat with respect to the
data stolen has been used for the fraud purpose and based on it, Marriott has not taken any major
initiative for compensating its customers whose data has been compromised. But has assured that
if anything happens it will provide relevant damages.
Liability of the target to the victims
It is the liability of the Marriott to provide damages to the victims in case of any fraud
and inappropriate usage of the same happens. According to the New York Times, the
spokesperson of Marriott has told that the company would be paying for the replacement cost for
the issuance of new passport with new number and will also cover the expenses of credit card in
case the fraud takes place. Also, the potential damage to the personal information is being stored
with the Chinese intelligence as per the information gathered.
Other damage to the target and individuals
As per the report in March 2019, the Marriott has incurred $28 million in expenses in
relation to breach which has only lowered the company's bottom line by just $3 million. But, by
may, Marriott has cut down its losses to just $1 million. This is because of the cyber insurance
taken by the company for covering the initial cost that have incurred initially in association with
the crisis. Apart from this, there are other damages which is being caused to company. It has
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
been estimated that the direct costs and indirect losses which will be caused by the customers
who might not come back to the company in the future which will consequently lead to the loss
of billions of dollars in terms of revenue because of this breach. The UK's Information
Commissioner's Office has also levied a fine on Marriott of £99 million which is over $120
million in respect to violating the British citizen's privacy rights as per the GDPR. This fine is
considered to be the starting point as there are other jurisdictions which can look to punish the
company for its lapses. Other than the financial losses, the loss the company has to face is in
respect to the reputational losses, loss of customers trust and loyalty, interruption in the business
functioning, giving up of key clients of the company, destruction of the personal relationships
with customers, suppliers and vendors and so forth.
Any way to avoid similar future incidents
Marriott and the Starwood failed to comply with the basic security. It failed to separately
keep the encrypted data and key used for encryption separately. Sith has allowed the hackers to
stay on the system for years (Marriott data breach FAQ: How did it happen and what was the
impact? 2020). Thus, Marriott should follow all the relevant cyber security rules and Acts which
will help in effectively managing its IT system. The company should conduct employee security
awareness training as it is the weakest link that leads to breach. There are times when the
employees open ups the suspicious mails every day having the potential to download viruses.
The company should conduct such training periodically like quarterly or even monthly. It should
also implement system which alerts about the timely update of the software being used. Install
patches whenever need occurs. There are endless laws that governs the consumer privacy and
data security such as PCI-DSS and GDPR under European Union. The company should also
implement or introduce the data security policy which will help in prioritizing the security
through introducing the best practices and methods (11 Expert Tips for Data Breach Prevention
in 2020. 2020). Also, the company should try to automate the system and processes as much as
possible which will result into reducing the number of accidental breaches and automating the
safeguards like a system that checks the password regularly and alerts to change them on a
periodic basis. Also, introducing the technology that will assess the server and the firewall
configuration which will work as a warning system in case there is any holes or leaks.
who might not come back to the company in the future which will consequently lead to the loss
of billions of dollars in terms of revenue because of this breach. The UK's Information
Commissioner's Office has also levied a fine on Marriott of £99 million which is over $120
million in respect to violating the British citizen's privacy rights as per the GDPR. This fine is
considered to be the starting point as there are other jurisdictions which can look to punish the
company for its lapses. Other than the financial losses, the loss the company has to face is in
respect to the reputational losses, loss of customers trust and loyalty, interruption in the business
functioning, giving up of key clients of the company, destruction of the personal relationships
with customers, suppliers and vendors and so forth.
Any way to avoid similar future incidents
Marriott and the Starwood failed to comply with the basic security. It failed to separately
keep the encrypted data and key used for encryption separately. Sith has allowed the hackers to
stay on the system for years (Marriott data breach FAQ: How did it happen and what was the
impact? 2020). Thus, Marriott should follow all the relevant cyber security rules and Acts which
will help in effectively managing its IT system. The company should conduct employee security
awareness training as it is the weakest link that leads to breach. There are times when the
employees open ups the suspicious mails every day having the potential to download viruses.
The company should conduct such training periodically like quarterly or even monthly. It should
also implement system which alerts about the timely update of the software being used. Install
patches whenever need occurs. There are endless laws that governs the consumer privacy and
data security such as PCI-DSS and GDPR under European Union. The company should also
implement or introduce the data security policy which will help in prioritizing the security
through introducing the best practices and methods (11 Expert Tips for Data Breach Prevention
in 2020. 2020). Also, the company should try to automate the system and processes as much as
possible which will result into reducing the number of accidental breaches and automating the
safeguards like a system that checks the password regularly and alerts to change them on a
periodic basis. Also, introducing the technology that will assess the server and the firewall
configuration which will work as a warning system in case there is any holes or leaks.
REFERENCES
Books and Journals
Wang, Z., 2020, February. Personal Information Security Risks and Legal Prevention from the
Perspective of Network Security. In The International Conference on Cyber Security
Intelligence and Analytics (pp. 113-117). Springer, Cham.
Ayaburi, E., Andoh-Baidoo, F. and Lee, J. U., 2020, January. Post Data Breach Use of
Protective Technologies: An Examination of Users’ Dilemma. In Proceedings of the
53rd Hawaii International Conference on System Sciences.
Online
Marriott data breach FAQ: How did it happen and what was the impact? 2020. [Online].
Available Through:<https://www.csoonline.com/article/3441220/marriott-data-breach-
faq-how-did-it-happen-and-what-was-the-impact.html>.
11 Expert Tips for Data Breach Prevention in 2020. 2020. [Online]. Available
Through:<https://i-sight.com/resources/data-breach-prevention/>.
Books and Journals
Wang, Z., 2020, February. Personal Information Security Risks and Legal Prevention from the
Perspective of Network Security. In The International Conference on Cyber Security
Intelligence and Analytics (pp. 113-117). Springer, Cham.
Ayaburi, E., Andoh-Baidoo, F. and Lee, J. U., 2020, January. Post Data Breach Use of
Protective Technologies: An Examination of Users’ Dilemma. In Proceedings of the
53rd Hawaii International Conference on System Sciences.
Online
Marriott data breach FAQ: How did it happen and what was the impact? 2020. [Online].
Available Through:<https://www.csoonline.com/article/3441220/marriott-data-breach-
faq-how-did-it-happen-and-what-was-the-impact.html>.
11 Expert Tips for Data Breach Prevention in 2020. 2020. [Online]. Available
Through:<https://i-sight.com/resources/data-breach-prevention/>.
1 out of 6
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.