Earlier in 2018, Hotel giant Marriott disclosed that it suffered one of the most massive breaches in history. The hack compromised of invading information of 500 million people who made reservations at a Starwood hotel. On Tuesday again, Marriott revealed that it was hacked again, this time with up to 5.2 million guests at risk. However, the recent Marriott data breach doesn't seem to be so devastating like the earlier, as sensitive information like passport numbers isn't seen affected at all. But a major leading hotel chain getting hit twice shows just one thing - how vulnerable the customers' data are and how bad the protection system is!
The Hack (Yes, Again)
As per the details revealed by Marriott hotel, the breach dates back to mid-January, when someone accessed 'guest information' with the credentials of two franchise property employees. It is still unclear whether those credentials were stolen. The data obtained includes contact details like names, email and home addresses, phone numbers, as well as gender, birthday, frequent flier numbers, loyalty account info, and hotel preferences, among others.
Though the Marriott data breach occurred in mid-January, the hotel giant realized it towards the end of February, indicating that it remained for several weeks before getting red-flagged. After that, the hotel giant disabled the credentials, started an investigation, and forwarded emails to guests whose data is believed to have been breached. The 2018 breach of Marriott was explicitly against the reservation database of Starwood, which Marriott acquired in 2016. And the recent one began with a franchisee.
The Affected Lot
Around 5.2 million members of the Marriott Bonvoy loyalty program is believed to have been affected, although the numbers may rise. For the victims, Marriott has changed their Bonvoy account password, so that they can reset it. When they reboot, the system will prompt them to enable two-factor authentication for protecting the details. If the franchise employee's credentials were stolen, Marriott's is also trying to implement the same level of heightened security to its own staff as well. "Most breaches could simply be prevented with multifactor authentication," says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. "For any elevated access, organizations should be leveraging enhanced security controls. Multifactor authentication should be applied to everyone. And for elevated accounts that have high levels of access, the scrutiny on security should be even more extensive."
For the affected US residents, Marriott will compensate for a year of identity monitoring from IdentityWorks, which is managed by the credit-reporting company Experian. The visitors have time till 30 June 2020 to enroll at their site. They will need an activation code which can be found either in the notification email or Marriott's new "Did my info get hacked" portal.
Seriousness of the Marriott Hack
The recent breach is not as severe as the earlier one, which not only breached sensitive information like passport numbers but was also part of the state-sponsored Chinese hacking campaign. However, it is still wrong, though less. "Loyalty account numbers and history, and traveler preferences, allow criminals to tailor phishing campaigns with individualized schemes that become almost impossible to detect with the naked eye," says Sangster.
In addition to this, there is Marriott's security system, which is in a bad light for multiple breaches. "There are outstanding questions about the security of Marriott's APIs and how hotels are allowed to access them," Rusty Carter, vice president at security firm Arxan Technologies says. "In the same way that a store manager balances the register each day, companies in possession of customers' data should verify access to individuals' information and be able to identify anomalies quickly."
Marriott is not the first and only company to get hacked multiple times. Yahoo leads the way, with separate hacks of 500 million and 3 billion users, respectively.