Big Company, Big Breaches, Big Settlement

If you’ve ever stayed at hotel, you’ve probably stayed with Marriott.  Marriott International is the world’s largest hotel company.  Nearly 8900 properties in 141 countries and territories. Wow! That’s a lot.

They have another distinction:  Marriott and now subsidiary company Starwood Hotels & Resorts Worldwide, LLC suffered three major cyber security breaches in the last decade affecting over 344 million guest and loyalty records.  What was it? Everything from passport numbers and personal info to payment card info and hotel stay history.

Now Marriott International has approved a $52 million settlement with 50 states and D.C.  The group action of 50 state attorneys general over three breaches that have plagued Marriott is just one of the penalties against the hotel giant.  It paves the way for more actions in other countries and is only the latest and largest to date for the company.

The Federal Trade Commission worked in parallel with the 50 states investigation and has imposed other terms.  The FTC requires Marriott International and subsidiary Starwood Hotels & Resorts Worldwide LLC to put in place “a robust information security program.” Marriott will improve data security practices “using a dynamic risk-based approach” with customer data protections, and pay $52 million to States.

Allegations by Attorneys General

Marriott violated state consumer protection laws, personal information protection laws, and breach notification laws by failing to implement reasonable data security and fix data security holes.  Particularly with integrating Starwood into Marriott systems.

What Happened in Marriott Data Breaches

Settlement Requirements for Marriott

The following are requirements of the settlement with the States & DC

• • Pay $52 million to the U.S. states & D.C.

  • Allow U.S. customers to request deletion of personal info tied to their email address or loyalty rewards account number. And they must review loyalty rewards accounts upon customer request and restore stolen loyalty points.
  • Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
  • Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
  • Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
  • Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
  • In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
  • An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.
  • Offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy
  • Review rewards accounts if there is suspicious activity.

Additional FTC REquirements:

Marriott must investigate suspicious activity within 24 hours and provide assessments and reports for future data breaches within 120 days.

Marriott History

Marriott International is the world’s largest hotel chain.   With over 30 brands, you’re familiar with them.  This dizzyingly large list covers the range of resort, boutique, luxury, business traveler, extended stay and budget economy stays.  You’ve probably stayed in many of their nearly 8900 properties in 141 countries and territories.

From Root Beer to Global Empire

J.W. and Alice Marriott founded this massive global leader from humble beginnings in 1927, serving A & W Root Beer in D.C. stand that grew to Hot Shoppe diners.  This grew into food service for the airline industry.  Momentum grew into cafeteria management services. 

Thirty years after serving their first root beer, the company drifted into hotels with Twin Bridges Motor lodge. Led by Bill Marriott, Jr., this foray into hoteling grew and grew over the next 50 years into an international hotel giant.   In 2016, Marriott International acquired Starwood Hotels & Resorts Worldwide creating the world’s largest hotel company.

The long trajectory of expansion was guided and maintained by corporate values of realizing opportunities and changing with the times.  This latest cybersecurity breach settlement for Marriott is a story of missing the mark with company values. 

Marriott didn’t do everything they should have to protect customers like you and me after the 2016 take-over of Starwood.

Starwood and Marriott Fell Short of Core Values

Lessons for Everyone

While Marriott and Starwood can’t turn the clock back and prevent the breaches of personal data that have already happened, they can now make security a “Job One” kind of priority.  And we hope that other companies learn from Marriott’s experiences and the judgements of attorneys general and the FTC.   Apply the lessons for your organiztion and keep private data private and secure.

Need Help?

Aditi Group, Inc provides Zero Trust security tools including deny-by-default, data encryption, multi-factor authentication, password management, account and network monitoring, and risk assessments.   Call or message us to learn more today.

<<   IT Managers’ Dream

The fantasy for many a CISO or IT manager is to fully lock down every computer.  No one gets admin rights but them.  No one else can make changes, install risky software, use weak passwords, move data with insecure ways, or otherwise erode the secure defenses our IT leaders put in place.

>>  IT Reality

Keeping offices in forward motion and appeasing staff traditionally means trade-offs.  We vote for quick and easy over secure and thorough and secure.  The real picture is too often weak or compromised security to allow programs and people to get the job done.  Thieves pray on the security trade-offs and compromises we make for convenience.  Something to exploit!

Enjoy the Security & Productivity Rewards

We can have our cake AND eat it too.  We can now effectively and securely enable powerful software tools while reducing cybersecurity risks.  This is the not the end-all, be-all for security, but it significantly reduces risk of hacking of valuable financial data.  And that can be the difference between having a thriving accounting, bookkeeping, or tax preparation business and lawsuits and penalties for allowing hackers to get to client data.

Weakness Scoring System

Our Federal government division witin the Department of Commerce, under the National Institute of Standards and Technology, NIST, has a National Vulnerability Databaase designed to help the public, and especially the technical administrators of IT systems to guage potential weaknesses or vulnerabilities in software and hardware systems.  

NIST has been working with private industry and other public sector organizations to rate and maintain a catalog of IT threats.   Originally started in 1999 under another name, and as an effort between NIST, SANS institute, and othrs, under the name ICAT or Internet Category Attack Toolkit.  It evolved and even faced death by lack of budgets until rebranded as NVD in 2005 and supported more fully.  

Security Advisory

Yubico, maker of YubiKeys, issued this advisory of vulnerabilities in their software application YubiKey Manager GUI  https://www.yubico.com/support/security-advisories/ysa-2024-01/

Bottomline

Update Software.  Keep using advanced security options like hardware MFA tools.

The Goals of Blockchain: Trust and Security

What is Blockchain? Blockchain explained for non-coders

Blockchain is a way of recording that sequentially links every revision of a a record, in a distributed / shared log (or ledger for finance folks).  Every transaction is recorded in an every growing record chain.

Featues of Blockchain Records

• decentralized digital record ledger
• data records (blocks) are tied together in time sequence
• any change to a record adds a new block
• nothing can be deleted or changed without a record as evidence
• “tamper proof”
• can be used for any kind of data
• distributed network – doesn’t reside on just one computer or desk

Security and Trust

Blockchain brings the promise of trusted data, and impossible…or very low probability of fakes. It can allow a person to own their own data and share it with the world as they choose. Panacea.

Code Is Opportunity

But this is code and electronics. There is always some relative weakness.  Code is the realm of hacks.

Crypto hacks have shown that environments where blockchain are used are not unlike other things in the cyber world.  Regardless of how trusted or secure a blockchain inidivudal record is, the the application or system it’s used in is vulnerable to the same old cybersecurity problems that befall everyone else.

Two main ways: stolen keys (the passwords), and exploiting bugs in code. Here are some expensive examples:

The Nine Largest Crypto Hacks in 2022

The biggest cryptocurrency hacks of all time

Where is Blockchain Used?  Is it Here Yet?

Blockchain is being introduced in the background with the big insurers, banks, pharma, governments, etc. For most of us, we won’t see it or it won’t affect us for a while (some years).  Blockchain is really only encoutered by most people who invest in or read about crypto currencies.  What blockchain offers crypto is the distributed, trusted accounting that is needed when there is no central bank.  It’s the perfect and obvious applicaiton for this new way of tracking transactions.

Healthcare Blockchain & How It’s Used

Blockchain methodology and application are still in the infancy stages for the healthcare industry as a whole. There is an ever increasing number of companies applying blockchain in different ways.

Some create trusted data share groups.  These allow us patients – us individuals to own and control our personal medical history records.  We can choose who we allow to view and add to our records.  And they can’t be tampered with.  That’s real power in the hands of the people. 

Some healthcare blockchain companies and projects focus on the validation of drug history, DNA info, etc. This is similar to traceability that supply chains are generally concerned with.  Knowing the history or the full life path of who touched an item from raw material and out and into the marketplace, is important for controlling quality, safety, and accountability for problems.

Other blockchain tech companies just create data network protocols (the code stuff) or hardware (like crypto currency wallets).  These support products and services advance the practicality and usefulness of blockchain in healthcare.

Why Aren’t We All Using Blockchain?

What’s the Holdup? We need trusted, secure solutions today!

The Performance Problem

Blockchains also suffer from a capacity problem. That’s the reason one crypto currency has not really won out yet. Each transaction must be written somewhere. Therefore, the greatest strides have been done through supply chain. Once the object has been delivered, it can be archived or erased. Food is the one application that holds the greatest promise. A head of lettuce grown in a field can be tracked until sold. If a contamination is discovered, tracking to the field, within a farm, can be pulled out of the blockchain in an instant.

Cons for using blockchain are processing speed and resources needed. It can consume a lot of computing power to solve the complex cryptographic equations for validating a record to be added to a chain. For crypto currencies, this is one way you get paid – by “mining” or by computing a new record. It takes time, so fewer transactions per second and computing power and electrical power. Both cost money…real money. : )

Healthcare faces the same limits as currency. People live a long time. Each prescription, procedure, etc. must be kept for the life of the individual. The cloud is not limitless. Everything has a capacity.

Listen in as we kick off Cybersecurity Month with another great interview by Dorothy Cociu on the Benefits Executive Roundtable.  In this show we discuss hot security topics and security breaches in 2022 and 2021.  Find out what’s been happening and what you can avoid being a statistic!

Listen and follow the podcast series Benefits Executive Roundtable:

https://advancedbenefitconsulting.com/s4e6-data-security-risks-and-importance-of-cybersecurity-part-1/?

Read the article in the STATEment May / June 2022 issue