Remember the story of the Trojan Horse? The Trojans and Greeks had reached a standstill in their war because the walls around the city of Troy could not be breached. One day, the Trojans woke up to find that the Greeks had fled in the middle of the night, leaving behind a wooden horse as a gift. Happy to finally be finished with the war, the Trojans eagerly carried the horse inside their city walls. That very night Greek soldiers sprung from the horse and destroyed the city from the inside and the rest is, as they say, history.
Now, you might be thinking, “What does this have to do with Marriott?” Well, back in 2016, Marriott International, Inc. undertook a war of its own when they announced they would be merging with Starwood Hotels and Resorts World Wide essentially solidifying them as the largest hotel empire in the world. This would be a massive undertaking that would involve years of work but they would add thousands of locations and boast the largest guest loyalty program of its kind as a result. Just as the Trojans did long ago, however, Marriott was over-eager to seize the prize and obliviously let the enemy ‘behind their gates’. The result: nearly half a billion guests had their private information stolen right from under their nose.
Marriott Invites in Threat Actors
How did something like this happen to a company like Marriott? For them there was obviously no wooden horse, but Starwood’s massive customer database was something Marriott was quite eager to bring in to the fold. Unfortunately, the guest reservation portion of this database had been infiltrated by hackers who were just waiting for their ‘Trojan horse’.
Marriott is vigilant and takes careful measures to protect its information and to secure its network, but, unfortunately for them, their new business partners were not so careful. Long before the merger, threat actors had snuck into Starwood’s system and had slowly been stealing information for years unbeknownst to anyone.
Hotels are actually amongst the most popular targets, making up 92% of all point-of-sale intrusions in 2017. Hotels are so interconnected with other businesses (shops, restaurants, mail services, laundry, etc….) that a breach can often spread quite quickly if not detected early.
Sadly, for some 327 million guests, Marriott was unable to detect the breach until personal information ranging from social security numbers to password and IDs were stolen. Researchers from threat intelligence companies investigating the breach feel that they should have been able to isolate and stop the hackers as far back as 2015 had Marriott taken the appropriate measures.
Here is where we can see Marriott’s true shortcoming. They were so confident in their own security policies and protocol that they were blind to the possibility that their new business partner might not be up to their standard of security. Because of this oversight Marriott failed to perform the necessary security procedures on the incoming database which resulted in a costly Trojan horse effect.
Build Your Road Map or Face the Consequences
The Marriott breach offers a valuable lesson not only to CEOs in the hospitality industry but for all CEOs. What works today will not be good enough for tomorrow; threat actors and hackers are constantly creating new ways to breach your network. If you are not planning ahead and continually reviewing your security processes you will fall behind and find yourself vulnerable.
Oftentimes CEOs and business owners see cybersecurity as a compliance box to check or an unnecessary expense. Consider the consequences of Marriott’s oversight: the class action lawsuit Marriott is now facing, the 5.6% drop in shares since the breach was announced, and the millions of dollars Marriott will inevitably spend in an effort to repair their damaged reputation. Marriott has already offered to cover 1 year’s worth of personal IT security for any guest who was negatively impacted by the breach. Wouldn’t it be better to set aside a bit more of your budget for network security than to pay for one year of Life Lock for 327 million victims not to mention the damage to Marriott’s formerly pristine reputation?
For those who do choose to ignore the warnings, a wave of new regulations will soon force ‘laggards to play ball’. For instance, the California Consumer Privacy Act that was passed last June gives consumers the right to know what data is being held about them, whether or not that data can be sold to another party, and, also, who has the right to have that information deleted. Furthermore, a client can sue if a data breach is shown to be caused by a company’s negligence in protecting the data it has collected. Luckily for Marriott, this act will not be enforced until January 1, 2020, but it is plain to see that law makers are beginning to pay more attention to cybersecurity and the CCPA is likely just the beginning.
So whether you have had security measures in place for years or are implementing protocols for a new business, it is important to self-check and plan for the future. Think of it as building your own IT road map. Once you figure out where you are and where you would like to be you can start to identify all the detours, pit-stops, and potential roadblocks you will encounter on the way so that hopefully your company and your customers can avoid a multi-car Marriott-like pile up.
Network security is not one and done deal. Installing a ‘top of the line’ security system will only get you so far if your company doesn’t have the proper practices and protocols in place, and if you don’t look ahead your shiny new system could quickly fall behind. Finally, once you have your IT road map, be sure to apply it to business partners as well as you will find that most companies are severely lacking when it comes to network security.
If the task seems daunting, begin with a simple Security Checklist and start building your roadmap so you don’t go down in the history books as the next victim of a Trojan Horse.