It has been reported that Marriott International Inc. has suffered yet another data breach, the second time the hotel chain has had data stolen this year. Initially reported by DataBreaches.net, an unnamed hacking group claimed to have stolen roughly 20 gigabytes of data. The data, including credit card information and personally identifiable information on guests and workers, was stolen from an employee at the BWI Airport Marriott in Baltimore.
“Threat actors continue to use proven social engineering techniques to gain access to systems, and it appears that a major international hotel chain is the latest victim in this technique. As an organization’s security team continues to educate end users on ways to identify phishing and other cyber threats, this latest report emphasizes the continued danger of social-engineering exploitations particularly as employees have begun a mass return to the office.”
“As we see so often, humans are the target for attackers. It doesn’t matter how well-trained staff are, attacks are getting ever more sophisticated. People are so busy and systems so complex, it’s too easy to make a simple mistake and click on a bad link or install infected software. Training remains important, but back it up with systems that prevent installation of malware (step one is to remove local admin rights from user’s systems) and ensure that no user has direct access to sensitive data or critical IT systems with administrator privileges.
Security is an ongoing process and not a tick box exercise – the fact that this isn’t the first time Marriot has suffered a breach, demonstrates the need to keep security processes up to date and employees educated on the need to implement and follow them.”
“Now is not the time to bayonet the wounded, as Marriott has a mature and talented security team. Their latest breach disclosure is a reminder to all organisations of how difficult it is protecting critical assets when persistent cyber criminals target your company. An important component of reducing organisational risk starts with security awareness training and conducting it regularly. Today, employees continue to frequently be the weakest link inside the company, whether malicious or inadvertent. Think of security awareness training like a basketball team that needs more practice to execute the plays with precision in the games. The only way you can improve is with practice, patience and repetition. Ultimately, practice in peacetime to help reduce the risk associated with the real threats when they hit your company. And you must have a detection strategy and you must test it all. Then you tune and tune and tune.”
“Thanks to the research performed in the industry, we know that every ransom payment results in another 100 (approx.) campaigns where more and more organisations are impacted and people’s data is being stolen.
Regardless of the implications to their business and context of why this incident has taken place, I’m glad to see that Marriott hasn’t paid the ransom demand, and we should praise the companies for not financing the threat actors and sponsoring further attacks. I hope they can take the valuable lessons learned from this incident and improve their and others security by sharing this knowledge.”