Share this entry
One of the largest hotel conglomerates in the world experienced another data breach, this time potentially affecting up to 400 individuals and 20GB. In recent years, the hotel chain has had a history of losing customer data to hackers creating massive amounts of data loss, large fines from data breach penalties, and endless litigation. It’s increasingly clear that this organization has a failing cloud security strategy.
Data breaches in the hospitality space are almost all too common, but in recent years this hotel chain seems to be haunted by data leaks, misconfigurations, and other errors leading to data breaches.
In 2014, the hotels’ data breach woes began as hackers working for the Chinese government were found in 2018 to have stolen approximately 340 million guest records over a period of four years. In 2020, Marriott paid a $24 million fine without admitting liability to settle allegations that it had violated Europe’s General Data Protection Regulation by failing to ensure adequate security of personal data. Also in 2020, Marriott reported another breach that compromised 5.2 million customer records. The threat actors had access to the system for two months exposing email addresses, mailing addresses, loyalty rewards numbers, and other personally identifiable information.
The hotel chain has since been continuously locked in litigation, with U.S. District Judge Paul. W. Grimm of the District of Maryland recently granted class certification to plaintiffs representing tens of millions of guests. Plaintiffs accuse Marriott of failing to undertake basic security measures for controlling access to databases containing guest information.
With millions spent on fines and legal fees in recent years, the costs of fines associated with breaches and damage to the brand will far outweigh the costs of staying ahead of the security curve.
While the breach may have been unavoidable, the cloud security the hotel has in place does not seem to be enough. The breach once again underlines the importance of protecting highly sought-after personal data and highlights some basic security failings, such as not keeping encryption keys in a separate location from the data resources they unlock or turning on MFA.
With millions spent on fines and legal fees in recent years, the costs of fines associated with breaches and damage to the brand will far outweigh the costs of staying ahead of the security curve. While the breach may have been unavoidable, the cloud security the hotel has in place does not seem to be enough. The breach once again underlines the importance of protecting highly sought-after personal data and highlights some basic security failings, such as not keeping encryption keys in a separate location from the data resources they unlock or turning on MFA.
For many organizations moving to the cloud has been a struggle. Defense in depth was dominated by network controls and they rely on traditional network security controls. This dependence to manage the cloud as a traditional environment is a huge mistake in cloud security strategies. The foundation of information security in the public cloud focuses on identity-based security that controls access to cloud-based resources and data. Security professionals recognize that “identity is the new perimeter” for securing data in public clouds, and consequently, proper identity security is crucial to managing access-related errors.
Procuring services or products related to the above would go a long way to ensuring access is prevented. Investing in security and creating a more developed security platform is no longer a luxury but a necessity.
Thankfully the data breach was low risk. That being said an incredible undertaking will be required to regain brand security and undo the damage to the hotel’s reputation. This particular hospitality chain has a strong saving face recovery strategy but will face brand trust issues for years to come.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditSonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.