As you may well have heard on the news, “the records of 500 million customers of the hotel group Marriott International have been involved in a data breach.” 1An investigation has shown that attackers have had access to Marriott owned Starwood network since 2014. This week’s blog looks at how this happened and what businesses can learn from Marriott’s case study.
The Marriott group database that was breached consisted personal information including:
- General customer information (such as name, address, date of birth etc.)
- Phone number, email address (contact details)
- Potentially payment information too. (It is reported that 327 million customers have possibly been affected in this area).
To summarise the grand scale of the damage done, Marriott has created a dedicated help website and direct helpline for those affected.
Reports show that this breach dates back to as far as 2014. Even when Marriott purchased Starwood in 2016, nothing was noted. The information taken is said to have been accessed by an “unauthorised party” who then “had copied and encrypted information”. 2
What can businesses learn from this?
The Marriott case study highlights another example of the growing need for due diligence around network protection and check backs. With 61% of data breaches hitting SMEs, it is not only the larger enterprises who are affected by the evolving cybersecurity landscape. 3
Here a 3 top tips for achieving better peace of mind:
- Continual Server & Data Checks
For four years, Marriott’s attackers had been getting a hold of private information. With regular security checks on servers and activity of data, it may well have become apparent that there were some unwanted visitors accessing this private data. One way to ensure this is done is by having your server monitored 24/7. Monitoring your server would enable all activity around it to be recorded and subsequently better enable you to act quickly in the event of a data breach.
- Proactively Test your Network Security
Prevention is better than cure! By proactively doing this, you better increase your chances of identifying security loopholes before hackers get there. Ask your IT provider for a network vulnerability scan and try to ensure your people are key areas of workplace security training, such as phishing email awareness. For one step further, penetration testing is an authorised and simulated attack that can be undertaken to test your server. The aim of this test is to see where attackers could locate areas to attack your network.
- Put a Business Continuity Plan in Place
Business continuity is defined as the ability of a business to continue delivery at pre-determined levels following a disruptive occurrence. Having a disaster recovery plan in place that can be effectively implemented if the worst does occur is therefore essential for ensuring continuity of business operations. 40% of businesses are forced to close down following critical data loss. For those that do manage to get back up and running, a further 25% are then shown to fail within the following year, so ensuring a plan is in place that endeavours to recover data lost or breached as quickly as possible is highly recommended.
The Marriott Hotel data breach has highlighted some much needed concern for businesses. Cyber-crime is ever-growing but associated risk can be mitigated through necessary due diligence and carefully thought of security awareness and disaster recovery planning.
1 BBC News. (2018). Marriott hack hits 500 million guests. [online] Available at: https://www.bbc.co.uk/news/technology-46401890
2 BBC News. (2018). Marriott hack hits 500 million guests. [online] Available at: https://www.bbc.co.uk/news/technology-46401890
3 Irwin, L. (2018). 61% of data breaches hit SMEs. [online] IT Governance Blog. Available at: https://www.itgovernance.eu/blog/en/61-of-data-breaches-hit-smes