Reading Time: 3 minutes
One of the largest hotel conglomerates in the world experienced another data breach, this time potentially affecting up to 400 individuals and 20GB. In recent years, the hotel chain has had a history of losing customer data to hackers creating massive amounts of data loss, large fines from data breach penalties, and endless litigation. It’s increasingly clear that this organization has a failing cloud security strategy.
Databreaches.net was the first to report this latest data breach. They discovered this data leak as hackers shared documents that include records apparently of airline hotel reservations for a flight crew that including the crew’s names, job titles, hotel room numbers, and corporate credit card information. Marriott said through a spokesperson that it is informing 300 to 400 individuals of the breach, has notified law enforcement agencies and regulators, and is supporting investigations into the incident.
“Dissent Doe,” the pseudonymous databreach goddess, shared their opinion about this breach with news outlets explaining, “Their security is very poor, there were no problems taking their data.”
Data breaches in the hospitality space are almost all too common, but in recent years this hotel chain seems to be haunted by data leaks, misconfigurations, and other errors leading to data breaches.
In 2014, the hotels’ data breach woes began as hackers working for the Chinese government were found in 2018 to have stolen approximately 340 million guest records over a period of four years. In 2020, Marriott paid a $24 million fine without admitting liability to settle allegations that it had violated Europe’s General Data Protection Regulation by failing to ensure adequate security of personal data. Also in 2020, Marriott reported another breach that compromised 5.2 million customer records. The threat actors had access to the system for two months exposing email addresses, mailing addresses, loyalty rewards numbers, and other personally identifiable information.
The hotel chain has since been continuously locked in litigation, with U.S. District Judge Paul. W. Grimm of the District of Maryland recently granted class certification to plaintiffs representing tens of millions of guests. Plaintiffs accuse Marriott of failing to undertake basic security measures for controlling access to databases containing guest information.
With millions spent on fines and legal fees in recent years, the costs of fines associated with breaches and damage to the brand will far outweigh the costs of staying ahead of the security curve.
While the breach may have been unavoidable, the cloud security the hotel has in place does not seem to be enough. The breach once again underlines the importance of protecting highly sought-after personal data and highlights some basic security failings, such as not keeping encryption keys in a separate location from the data resources they unlock or turning on MFA.
With millions spent on fines and legal fees in recent years, the costs of fines associated with breaches and damage to the brand will far outweigh the costs of staying ahead of the security curve. While the breach may have been unavoidable, the cloud security the hotel has in place does not seem to be enough. The breach once again underlines the importance of protecting highly sought-after personal data and highlights some basic security failings, such as not keeping encryption keys in a separate location from the data resources they unlock or turning on MFA.
For many organizations moving to the cloud has been a struggle. Defense in depth was dominated by network controls and they rely on traditional network security controls. This dependence to manage the cloud as a traditional environment is a huge mistake in cloud security strategies. The foundation of information security in the public cloud focuses on identity-based security that controls access to cloud-based resources and data. Security professionals recognize that “identity is the new perimeter” for securing data in public clouds, and consequently, proper identity security is crucial to managing access-related errors.
Procuring services or products related to the above would go a long way to ensuring access is prevented. Investing in security and creating a more developed security platform is no longer a luxury but a necessity.
Thankfully the data breach was low risk. That being said an incredible undertaking will be required to regain brand security and undo the damage to the hotel’s reputation. This particular hospitality chain has a strong saving face recovery strategy but will face brand trust issues for years to come.
*** This is a Security Bloggers Network syndicated blog from Sonrai | Enterprise Cloud Security Platform authored by Kelly Speiser. Read the original post at: https://sonraisecurity.com/blog/failed-cloud-security-strategy-haunts-hotel-chain/