You might recall that the Marriott hotels chain got hit with a massive data breach in which I was personally affected because I have stayed at a few of their hotels in the last few years. Well, Marriott is looking at a massive fine because of it thanks to the UK Information Commissioner’s Office (ICO):
Following an extensive investigation the ICO has issued a notice of its intention to fine Marriott International £99,200,396 for infringements of the General Data Protection Regulation (GDPR).
The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.
It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.
The £99,200,396 fine translates to roughly $123 million USD. And if the agency who is handing out this fine sounds familiar, it’s the same group of people that wants to serve up a massive fine on British Airways because of their data breach. Now like British Airways, Marriott has said that it would contest the fine. But the fact that these fines are being handed out is a good thing. Companies that handle personal data need to understand that if they screw up and lose control of this data, they will be held accountable and it will hurt. So I am all for these mega fines being handed out as it sends a message that companies cannot ignore.
Marriott Has Yet Again Been Pwned
Posted in Commentary with tags Hacked, Marriott on July 6, 2022 by itnerdMarriott International confirmed Tuesday that an unknown criminal hacker broke into its computer networks and then attempted to extort the company. The incident was first reported by databreaches.net and has been claimed to be the work of an ‘international group working for about five years’, according to the site. Now this has not been the first time that Marriott has been at the centre of a data breach. Several years ago they went public with a massive data breach, and the Chinese were thought to be the threat actors in that case. Regardless of who was behind it, it led to them getting fined massively as a result. But it didn’t stop them from getting pwned again. And there’s a few more incidences of Marriott getting pwned that I’m not listing here.
Saryu Nayyar, CEO and Founder of Gurucul had this comment:
“A primary mechanism being used by adversaries is social engineering. It’s simple and effective. And it means that initial compromise is dependent on human behaviors and is therefore impossible to prevent 100% of the time. All it takes is one successful compromise to circumvent most preventive controls. What is required is a stronger detection program that also monitors for and identifies risky access controls, entitlements and user behaviors and associated abnormal or deviant activity. This includes potential threats from the inside, not just outside threats. More advanced and adaptable technologies that use machine learning and artificial intelligence to compensate for threat actor activity and human behavior have proven to be more effective at stopping successful attacks.”
Clearly Marriott has a problem because they keep getting pwned. That’s why I don’t stay with them when I travel anymore as I was personally affected by one of the breaches. They really need to get their head into the game as this is completely unacceptable.
Leave a comment »