Big Company, Big Breaches, Big Settlement
If you’ve ever stayed at hotel, you’ve probably stayed with Marriott. Marriott International is the world’s largest hotel company. Nearly 8900 properties in 141 countries and territories. Wow! That’s a lot.
They have another distinction: Marriott and now subsidiary company Starwood Hotels & Resorts Worldwide, LLC suffered three major cyber security breaches in the last decade affecting over 344 million guest and loyalty records. What was it? Everything from passport numbers and personal info to payment card info and hotel stay history.
Now Marriott International has approved a $52 million settlement with 50 states and D.C. The group action of 50 state attorneys general over three breaches that have plagued Marriott is just one of the penalties against the hotel giant. It paves the way for more actions in other countries and is only the latest and largest to date for the company.
The Federal Trade Commission worked in parallel with the 50 states investigation and has imposed other terms. The FTC requires Marriott International and subsidiary Starwood Hotels & Resorts Worldwide LLC to put in place “a robust information security program.” Marriott will improve data security practices “using a dynamic risk-based approach” with customer data protections, and pay $52 million to States.
Allegations by Attorneys General
Marriott violated state consumer protection laws, personal information protection laws, and breach notification laws by failing to implement reasonable data security and fix data security holes. Particularly with integrating Starwood into Marriott systems.
What Happened in Marriott Data Breaches
Strike 1
Starwood Payment Card Data
In June 2014 Starwood Hotels & Resorts incurred a data breach of payment information of over 40,000 Starwood guests. Hackers went unnoticed for more than a year. Starwood only told customers in November 2015, four days after the Starwood acquisition announcement.
How Breach Happened
Hackers used compromised credentials and unprotected administrative accounts to install malware and access customer information.
Strike 2
Starwood Guest Records
From July 2014 to September 2018 hackers stole 339 million Starwood guest account records, including 5.25 million unencrypted passport numbers. This second hit on Starwood went undetected for more than four years!
How Breach Happened
Hackers installed malware with keyloggers, remote access, and memory scrapers in more than 480 systems across 58 locations to steal 339 million personal records.
Strike 3
Marriott Guest Records
Hackers accessed 5.2 million guest records worldwide, including data from 1.8 million Americans. Names, mailing addresses, email addresses, phone numbers, birth day and month, and loyalty account information were breached. Network access went undetected from September 2018 until February 2020.
How Breach Happened
Attackers used compromised employee credentials to breach its network several times
States Hold Marriott Accountable
“Companies have an obligation to take reasonable measures to protect consumer data security. Marriott clearly failed to do that, resulting in the breach of the Starwood computer network and the exposure of personal information for millions of its guests. This 50-state settlement, co-led by Connecticut forces a strong system of risk-based protections to guard against ever-evolving threats to cybersecurity. We will continue to work closely with our multistate partners across the country to ensure companies are taking all reasonable precautions to protect our personal information”
– Connecticut Attorney General William Tong
Settlement Requirements for Marriott
The following are requirements of the settlement with the States & DC
-
- Pay $52 million to the U.S. states & D.C.
- Allow U.S. customers to request deletion of personal info tied to their email address or loyalty rewards account number. And they must review loyalty rewards accounts upon customer request and restore stolen loyalty points.
- Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
- Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
- Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
- Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
- In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
- An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.
- Offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy
- Review rewards accounts if there is suspicious activity.
- Pay $52 million to the U.S. states & D.C.
Additional FTC REquirements:
Marriott must investigate suspicious activity within 24 hours and provide assessments and reports for future data breaches within 120 days.
What You Can Learn from Marriott
LOCK DOWN SYSTEMS
Zero Trust, Deny by Default
This is an Aditi Group favored strategy and special leading-edge functionality that we offer our clients. Unlike anti-malware or anti-virus programs which look for what is already running, downloaded or installed, we lock down and set computers to deny by default. So, malware often can’t download, and can’t install or run.
We limit software programs that can install, run, or even be uninstalled to what we allow. And within those programs, only expected actions are allowed. What computer and data resources programs can use are by allow-list only. In essence, it’s the IT managers dream – lock everything down to just what is needed to do the job. We also employ ways to limit escalation of rights from user accounts so they can’t go from being an every day user to having Administrator rights.
With this approach, malware, keyloggers, memory scrapers, and remote access programs would never have been allowed to install.
KNOW THE RISKS
Regular Risk Assessments
Marriott strayed from its forward looking nature and focus on people and excellence. While Marriott wasn’t responsible for the actions or inactions of Starwood prior to take-over, it is now ultimately responsible and should have done a deep dive into the IT Security Step 1: RISK ASSESSMENT.
Aditi Group, like our peers who support data privacy laws such as HIPAA and consumer protection laws know that good security begins with identifying the risks. And that should be followed by making plans to patch holes and reduce risks. The most comment and first item noted from all HIPAA violation settlements is Lack of Proper Risk Assessment.
This is also an age old precept of warfare. We must know our strengths and weaknesses and anticipate how the other side may try to exploit weak defenses and human behavior.
Risk Assessments and taking action to fix gaps helps avoid breaches and penalties if problems do happen.
DO THE BASICS
Encryption, Multi-factor Authentication
A second take-away is to ensure that the basic tools and techniques are used. Stolen data includes unencrypted passport numbers and personal contact data. Encryption is a basic data security method that should be activated for data that can be used in personal credit fraud. Numerous state and federal and international data privacy laws require encryption of sensitive data or de-identification of it. This is nothing new. It should be the norm.
MFA prevents most account compromising. Encrypted data is useless to hackers.
KEEP ONGOING AWARENESS
Monitor Data Going Out, Monitor Account Logins, Malware Scans
Each of the data breaches with Starwood and Marriott went more than a year before they were detected. The latest happened over four years. That’s a lifetime in the electronic data world. This fact is a driver of the ever increasing focus of anti-virus and cyber security programs to do what is called pattern recognition or behavioral analysis. They look for the anomolys. Just like when your credit card company puts a lock on your card if you suddenly use it at 3am to buy $100 in gasoline 3 times in 30 minutes…”that didn’t look like you.”
Monitors should have revealed issues within short time
Marriott History
Marriott Brands
-
-
- The Ritz-Carlton®
- St. Regis®
- JW Marriott®
- Ritz-Carlton Reserve®
- The Luxury Collection®
- W Hotels®
- EDITION®
- Marriott Hotels®
- Sheraton®
- Marriott Vacation Club®
- Delta Hotels®
- Westin®
- Le Méridien®
- Renaissance Hotels®
- Gaylord Hotels®
- Courtyard Hotels®
- Four Points®
- SpringHill Suites®
- Fairfield Inn & Suites®
- AC Hotels®
- Aloft Hotels®
- Moxy Hotels®
- Protea Hotels®
- City Express®
- Four Points Flex by Sheraton
- Residence Inn®
- TownePlace Suites®
- Element®
- Homes & Villas by Marriott Bonvoy®
- Apartments by Marriott Bonvoy®
- Marriott Executive Apartments®
- Autograph Collection Hotels®
- Design Hotels®
- Tribute Portfolio®
- MGM Collection with Marriott Bonvoy
-
Marriott International is the world’s largest hotel chain. With over 30 brands, you’re familiar with them. This dizzyingly large list covers the range of resort, boutique, luxury, business traveler, extended stay and budget economy stays. You’ve probably stayed in many of their nearly 8900 properties in 141 countries and territories.
From Root Beer to Global Empire
J.W. and Alice Marriott founded this massive global leader from humble beginnings in 1927, serving A & W Root Beer in D.C. stand that grew to Hot Shoppe diners. This grew into food service for the airline industry. Momentum grew into cafeteria management services.
Thirty years after serving their first root beer, the company drifted into hotels with Twin Bridges Motor lodge. Led by Bill Marriott, Jr., this foray into hoteling grew and grew over the next 50 years into an international hotel giant. In 2016, Marriott International acquired Starwood Hotels & Resorts Worldwide creating the world’s largest hotel company.
The long trajectory of expansion was guided and maintained by corporate values of realizing opportunities and changing with the times. This latest cybersecurity breach settlement for Marriott is a story of missing the mark with company values.
Marriott didn’t do everything they should have to protect customers like you and me after the 2016 take-over of Starwood.
Starwood and Marriott Fell Short of Core Values
J.W. and Alice Marriott built the empire on strong business and ethical core values. Have they held true on in the customer data privacy realm? These are values Marriott highlights today:
Put People First, Act with Integrity, Pursue Excellence
Embrace Change, Serve Our World
Act with Integrity
“How we do business is as important as the business we do. We hold ourselves to uncompromising ethical and legal standards. This extends to our day-to-day business conduct, our employee policies, our supply chain policies, our environmental programs and practices, and our commitment to human rights and social responsibility.”
Lessons for Everyone
While Marriott and Starwood can’t turn the clock back and prevent the breaches of personal data that have already happened, they can now make security a “Job One” kind of priority. And we hope that other companies learn from Marriott’s experiences and the judgements of attorneys general and the FTC. Apply the lessons for your organiztion and keep private data private and secure.
Need Help?
Aditi Group, Inc provides Zero Trust security tools including deny-by-default, data encryption, multi-factor authentication, password management, account and network monitoring, and risk assessments. Call or message us to learn more today.