Hotel stay booked for the summer? Make sure you don’t leave your data behind!
Marriott Data Breach
Global Hotel brand, Marriott, has hit the headlines yet again with news of another data breach; their third in five years.
From 2014-2016, 340m customers had their personal data exposed (this was not reported until 2018) and in 2020, the personal data of over 5 million guests were exposed. In between those breaches, the GDPR (General Data Protection Regulation) came into effect and resulted in a fine of £18.4m from the ICO for the latter of the two breaches. It is estimated however that the total cost could be up to £10bn, with a number of people affected subsequently suing for damages.
In a statement, Marriott disclosed that this latest breach was a result of a social engineering attack; an employee at the hotel was tricked into giving over access to their computer to hackers and resulted in the loss of 20GB worth of data, including some 300-400 guests’ details, including credit card numbers.
This seems reflective of a change in how cyber criminals are operating. Verizon’s 2022 Data Breach Investigations Report found that 82% of data breaches involved a human element. This serves as a warning for security leaders, particularly regarding the threat posed by social engineering threats, and the havoc that poor security awareness can wreak on an organisation.
There’s little doubt that after their first two breaches, Marriott would have doubled down on securing their systems and networks. Attacks that target endpoints or IT systems can be patched or mitigated consistently, but humans aren’t perfect, and can easily make the mistake of handing over login credentials or exploitable information. This begs the question; how did a data breach occur again, and seemingly so easily? Marriott’s cybersecurity will be facing particular scrutiny given the reports of breaches in recent years, but this is a great opportunity for organisations, especially those in the leisure sector who are facing a busy season, to ask themselves if they could stop a similar attack.
Technology is not enough to prevent a breach
This latest attack involved taking multi-factor authentication (MFA) credentials. Along with highlighting the necessity of training, it also serves as a reminder that technology alone cannot be relied upon to protect sensitive data but it can go a long way to reduce vulnerabilities.
Train your staff well, and often
One of the simplest ways to address social engineering threats is with regular security awareness training. Teach employees security best practices, what phishing, social engineering and other manipulation attempts look like and run regular phishing simulation tests, so they can avoid sharing any valuable information with cyber criminals.
Identify and protect sensitive assets
Financial data is the top target for hackers, with over 70% of attacks being financially motivated. It’s important that this data in particular is given additional layers of protection.
Do not treat data protection as a check box exercise
As cyber criminals have evolved how they operate, standards such as the PCI DSS have also evolved to consider these threats and how best to mitigate them. The latest standard, PCI DSS 4.0, aims to promote security as a continuous process and offers greater flexibility in how organisations achieve compliance. It’s important that organisations are aware of and put these updated standards into practice. Our PCI DSS 4.0 timeline serves as a useful guide to these changes and what they mean for organisations.
Descope credit card data from your organisation
Organisations benefit from a reduction in scope by outsourcing PCI compliance to a third party like PCI Pal. Descoping your infrastructure from the requirements of PCI DSS (Payment Card Industry Data Security Standards) is one of the most effective ways to protect your customers’ card data. By keeping your customers’ card data out of systems and minimising contact areas where data is processed or stored, you remove the number one target for hackers and reduce the scope for human error.