5 Cybersecurity Lessons from the Marriott / Starwood Data Breach

“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Arne Sorenson, Marriott’s President and Chief Executive Officer

Marriot’s recently announced data security breach is a lesson in cybersecurity for all.

The organization’s challenge to address what happened, restore credibility, and take swift action to prevent another breach should be a wake-up call for any enterprise, in any industry.

Early details suggest that encryption keys were stolen along with credit card information. What’s even more disturbing is Starwood’s inadequate encryption key management policies and practices – the absence of breach detection (and the fact that it has been going on for four years under Starwood) is nothing short of alarming.

There’s no doubt that Marriott International has established policies and procedures designed to protect data and detect malicious anomalies. This breach on Starwood’s data suggests either an internally-initiated cyberattack or one that occurred as a result of hijacking elevated credentials of a user.

While distressing, this incident serves as a reminder that today’s security is at the heart of every digital business.

Lesson one: payment information should never be stored alongside non-payment data.

The best analogy is storing your keys, passport and money side-by-side when you travel. You’re increasing the likelihood that everything that’s really important could be stolen in one shot.

If best practices were not used by Starwood to properly store and protect the encryption keys, then this could be a much larger breach than what was originally reported.

Marriott acquired the Starwood brand in 2016. The fact that this breach has been ongoing since 2014 suggests that the issue was not uncovered during the M&A process.

Starwood was a large enough brand on its own to have a mature digital security process in place. Were red flags missed? Were security gaps not known to Starwood?

Or, perhaps, was digital security was not even addressed at the time of the acquisition?

Understanding a company’s current-state digital security program () is critical to ensuring you’re not overpaying for a company that hasn’t invested enough in risk mitigation.

Compliance is a big part of vetting asset quality and liability during a business combination. Security rigor should play a role

There are lots of best practices and guidelines for companies to consider when planning for and implementing digital security practices.

But these concepts don’t ensure compliance; regulations do.

Organizations will undoubtedly start to face increasing scrutiny and potential audits over how digital security keys are managed. Asserting that data needs to be encrypted or defining what algorithms should be used will no longer be sufficient.

Companies need to be ready to prove that keys are being effectively managed and securely stored, from cradle to grave and at all times in between. Compliance organizations and standard bodies will start looking to add this criteria and companies will need to be ready to respond when new standards are introduced.

Additionally, this incident has all the right elements to become the poster-child case for GDPR. Marriott is an international company and has a significant EU operations base.

Beyond financial penalties, the fallout could drive even greater restrictions and impact privacy regulations & future legislation in the US.

Crisis management is something you plan for, but you never really know what it’s going to look like until something happens.

The Marriott brand has been around since 1927, transforming into the hotel brand it is today in 1957. It has spent decades building a reputation of trust that in just a few moments has taken a hit.

Only time will tell how quickly patrons will forgive. It’s unlikely that they’ll ever forget.

Lawsuits, government intervention, customer mistrust … and don’t forget they’ve got a credit card division, too. Marriott will be in the news for years to come, reminding us over and over again of the strife they suffered by a potentially lackluster digital security program.

Companies are using data to personalize customer experiences. And it works…when the data is gathered with consent and the customer has demonstrated some level of interest.

Think about how deep this goes – the data these hackers have goes beyond buying preferences.

It could include where these travelers have been, what rooms they like, what food they’ve eaten, names and data of other family members who have traveled with them. Birthdays, passwords, even patterns of when someone travels for business and is away from home. From a national security perspective, passport numbers and other information could be sold to adversarial nations.

It sounds far-fetched, but this new world we’re living in has threats we’re not even aware of yet.

This breach could have happened to any company. Cyber attackers are getting more and more sophisticated, and it’s impossible to foresee coming threats and prevent all breaches – but there are steps to take to make it harder, like ensuring every asset is covered by a digital identity, and the devices you’re investing in have security incorporated into the design.

Investing in the right things can reduce the likelihood of a breach while also reducing the negative impact of them when they happen.