Marriott Hotels have disclosed another data breach, in which details approximately 5.2 million guests were leaked. Internal investigation by the hotel says the guest information was accessed using the login credentials of two employees at a franchise property.
“At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property. We believe this activity started in mid-January 2020,” said the company announcement.
“Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
The hotel did not disclose the region affected by the data breach. "The company does not currently believe that its total costs related to this incident will be significant," the announcement said.
The Information Commissioner’s Office UK last year fined the company £99 million for violation of GDPR norms, owing to a data breach that came to light in 2018. Private data of nearly 500 million Marriott guests were exposed then.
“Marriott has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light,” said the ICO announcement in July 2019.
“As a Marriott customer myself, it is very disheartening that they apparently did not learn from their first missteps,” commented Will LaSala, senior director of global solutions, OneSpan.
“Security is easily overlooked and often misplaced trust leads to failures such as this. Large organisations can often find it difficult to implement a one-size fits all authentication and security plan, however from my experience, a one-size fits all approach never works and seems to leave the door open for hackers to break through. Instead, organisations should look to implement risk-based tools that adapt to the changes,” he said.
Huge enterprises keep struggling with large-scale data breaches, as bigger size offers more breach points, noted Carl Wearn, head of e-crime at Mimecast.
“Hackers are creative and persistent, and IT teams often play catch up when it comes to security. This is particularly true for databases that may not always be configured with security in mind,” he said.
IT teams must fully understand their environment -- the attack surface -- and where the data is being stored to identify any vulnerabilities quickly and easily and issue a patch update where required, he suggested.