The world’s largest hotel chain, Marriott Hotels, announced on Friday (November 30, 2018) that half a billion of its customers’ data had been breached dating as far back as 2014.
Those at risk of security breaches are customers whose data had been stored in the guest reservation database of the chain’s Starwood division. The hacker initially gained access to this database over four years ago[.
Marriott admitted on Friday, although it has known about the breach since November 2016, it does not yet know the full scale of the attack. The chain says it will notify any customer whose data is at risk.
The hotel chain estimates 327 million customer records were accessed including a combination of their name, date of birth, gender, address, contact number, email address, passport number and account information. This means that customers are now at risk of acts such as identity theft or credit card fraud.
Even though the data was encrypted, the hotel chain acknowledged that the keys needed to decrypt this data might also have been accessed during the attack.
Called to comment
“We fell short of what our guests deserve and what we expect of ourselves,” says Arne Sorenson, president and chief executive, Marriott Hotels. “We are doing everything we canto support our guests and using lessons learnt to be better moving forward.
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information,with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network[.”
This is not the first time a global business has experienced a significant data breach this year. In September, Facebook admitted it was possible that 50 million customers were left unprotected by a security flaw which had allowed hackers to gain control of selected users’ accounts[.
Also in September, Uber was ordered to pay £113m as a result of attempting to conceal a serious data breach from its regulators in 2016. Uber’s security breach saw 57 million user accounts accessed including over 600,000 driving licence numbers. If this breach happened now, under new GDPR, Uber would be forced to pay in excess of £157m.
“These recent breaches highlight how crucial a safe data culture is to businesses,” says Harj Singh, founder and CEO at Aristi. “With the recent introduction of GDPR,businesses need to be proactive to ensure that they are keeping their customers’ data safe.
If Marriott couldn’t protect its data, how can you? Your top 3 priorities:
- Cyber security is more than just a series of checks – best practice guidelines need to be embedded in your company culture.
- GDPR and cyber security should both be treated as one integral part of your business – rather than as two ‘silos’.
- Regular testing of your business’ security is paramount to ensure you are following best practice guidelines with secure systems.
“Protecting customer data can be simple. Regular checks and security tests as well as ensuring compliance with GDPR will help to prevent your business from any security breaches.”
“For best practice to be sustainable, it must be embedded throughout your culture.
“Understanding an organisation’s culture – whether it’s a company, civil service department, NGO or charity – entails a deep dive. But once you have it, you can empower the organisation to achieve its vision, profitably.
“You do that using a range of tools in the business cyber security toolkit: including consultancy and Cyber Essentials, trusted security advisor service and penetration testing.”
If you’re concerned about your business’ cyber security or simply want to find out more about what you can do to prevent malevolent attacks, call 0121 222 5630 or email firstname.lastname@example.org.