ABHIJEET RAGHUVANSHI MBA IT 2018-2020 18030141051

INFORMATION SECURITY MANAGEMENT

CASE STUDY

MARRIOT

Data Breach (2016)

ABHIJEET RAGHUVANSHI

18030141051

DIV A
ABHIJEET RAGHUVANSHI MBA IT 2018-2020 18030141051

1. INTRODUCTION

Marriott International was formed in 1993 when the Marriott Corporation split into two
companies, Marriott International and Host Marriott Corporation. In 1995, Marriott was the first
hotel company worldwide to offer guests the option to book reservations online, via the
company's implementation of MARSHA (Marriott's Automatic Reservation System for Hotel
Accommodations).

In April 1995, Marriott International acquired a 49% interest in Ritz-Carlton Hotel Company
LLC.Marriott International believed that it could increase sales and profit margins for The Ritz-
Carlton, a troubled chain with a significant number of properties either losing money or barely
breaking even. The cost to Marriott was estimated to have been about $200 million in cash and
assumed debt. The next year, Marriott spent $331 million to take over The Ritz-Carlton, Atlanta
and buy a majority interest in two properties owned by William Johnson, a real estate developer
who had purchased The Ritz-Carlton, Boston in 1983 and expanded his Ritz-Carlton holdings
over the next twenty years.

2. WHAT HAPPENED?

On September 8, 2018, Marriott received an alert from an internal security tool that there had
been an attempt to access its Starwood guest reservation database. After consulting with security
experts Marriott learned that there had been unauthorized access to the Starwood network since
2014. Marriott recently discovered that an unauthorized party had copied and encrypted
information, and took steps towards removing it. On November 19, 2018, Marriott was able to
decrypt the information and determined that the contents were from the Starwood guest
reservation database.

Marriott said in a statement that it “values our guests and understands the importance of
protecting personal information”.It says it has taken measures to investigate and address the data
security incident, but adds: “The investigation has determined that there was unauthorized access
to the database, which contained guest information relating to reservations at Starwood
properties on or before September 10, 2018.”
ABHIJEET RAGHUVANSHI MBA IT 2018-2020 18030141051

3. WHAT IS THE IMPACT?

Marriott says it “has not finished identifying duplicate information in the database”, but believes
it contains information of up to approximately 500 million guests who made a reservation at a
Starwood property.

Its statement says: “For approximately 327 million of these guests, the information includes
some combination of name, mailing address, phone number, email address, passport number,
Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and
departure information, reservation date, and communication preferences.”

Meanwhile, for some, the information also includes payment card numbers and payment card
expiration dates. The hotel group claims the payment card numbers were encrypted using
Advanced Encryption Standard encryption (AES-128).

There are two components needed to decrypt the payment card numbers, and at this point,
Marriott “has not been able to rule out the possibility that both were taken”.

4. WHY IT HAPPENEND?

We don’t yet know the root cause(s) that forced Marriott this week to disclose a four-year-long
breach involving the personal and financial information of 500 million guests of
its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so
long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity
defense that applies to both corporations and consumers: Assume you are compromised.
ABHIJEET RAGHUVANSHI MBA IT 2018-2020 18030141051

5. WHAT IS BEING DONE?

The hotel group says it “moved quickly to contain the incident and conduct a thorough
investigation with the assistance of leading security experts”.

It has also set up a dedicated website and call center. It says it will phase out its Starwood
systems and “accelerate the ongoing security enhancements to our network”.

Marriott began sending emails on November 30 to affected guests whose email addresses are in
the Starwood guest reservation database. It is also providing guests with free WebWatcher
Enrollment: Access to a tool that monitors internet sites where personal information is shared
and generates an alert to the consumer if evidence of personal information is found.

6. ANALYSIS:

This is a major incident affecting a huge number of customer details. Even Facebook’s hack
affecting 50 million is dwarfed by this latest breach of up to 500 million. Even, if as Marriott
says, the number of customers that suffered a breach of personal information is anywhere
near 327 million, the implications are massive.

If any of the customer details belong to EU citizens, which is likely given the global nature of the
group, the breach will also fall under GDPR. The resulting fines could be astronomical at up to 4
per cent of global turnover – and that’s on top of the possible class action lawsuits from those
affected. It will also be a blow to its reputation.

The other question is why the group has taken so long to announce the breach to customers. With
others such as British Airways announcing a cyber-attack just days afterwards, Marriott could
come under heavy criticism. It’s not known if the breach was reported to the regulatory
authorities at the time of the incident. Under GDPR breaches of personal data must be reported
within 72 hours.

Marriott says it “reported this incident to law enforcement and continues to support their
investigation” and simply added that it had “already begun notifying regulatory authorities”
ABHIJEET RAGHUVANSHI MBA IT 2018-2020 18030141051

7. RECOMMENDATIONS:

If you have used the site and it’s available in your country, it makes sense to take the
WebWatcher access. Other tools are also available such as ‘Have I Been Pwned’.

It goes without saying that users should change passwords used for the site - and the same goes if
these details are used elsewhere. In addition, watch your bank account for any suspicious activity
and be wary of emails claiming to be from Marriott: cyber criminals will often use incidents such
as these to orchestrate scams and phishing emails.