Hotel group Marriott International is facing a class-action suit in London’s high court after a major data breach on its systems revealed the data of millions of guests.
In one of the biggest data breaches in history, the personal information of more than 300 million customers, including, passport numbers dates of birth, gender, and postal addresses, was stolen. The company also said it “could not rule out” that credit card information may also have been affected.
Marriott revealed in 2018 that hackers had “gained unauthorised access” to around 383 millions guest records around the world. The epicentre of the breach was the chain’s Starwood subsidiary, which was hacked between July 2014 and September 2018.
In a statement, the organisation said: “Marriott has taken measures to investigate and address a data security incident involving the Starwood guest reservation database.
“On November 19, 2018, the investigation determined that there was an unauthorised access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.”
In response, the Information Commissioner’s Office (ICO) announced that it plans to fine the US hotel group Marriott International £99.2 million, which the hotel group has apparently appealed against.
In a statement, Information Commissioner Elizabeth Denham said: “The GDPR makes it clear that organisations must be accountable for the personal data they hold.
“This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that does not happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
The breach affected a variety of Marriott International subsidiaries, including Starwood Hotels, Sheraton Hotels & Resorts, Westin Hotels.
Up to seven million customers from England and Wales that booked rooms at Starwood properties before the 10 September 2018 are being represented in London by Technology consultant Martin Bryant who is leading the legal action.
The ICO said that Marriott co-operated with their investigation and has “made improvements to its security arrangements” since these events came to light.
“The company will now have an opportunity to make representations to the ICO as to the proposed findings and sanction,” the ICO said.
More of the Same
The announcement of the Marriott attack comes at the same time as the major Blackbaud ransomware attack continues worldwide.
Organisations including Edinburgh Zoo, the Bletchley Park codebreaking museum and several universities in the UK, the US, and Canada, have all been affected.
Hackers gained access to the private information of guests and demanded ransom for their return. The ransom has since been paid and it is believed that the cybercriminals have destroyed the data.
The Mariott attack is the third-largest cyber breach in history, third only to Facebook and the Friend Finder Network.
In 2019, 20% of Facebook’s 2.3 billion users were affected. Several unprotected databases were discovered online that contain 419 million records of Facebook users, reported TechCrunch.
The databases were found with no password protection in place, making them freely open and accessible to anyone online.
In November 2016, a similarly large data breach targeting adult dating and entertainment company Friend Finder Network exposed more than 412 million accounts, making it the largest to date.
The hack included 339 million accounts from AdultFriendFinder.com and accounted for two decades’ worth of data from the company’s largest sites.
The Problem won’t Fix Itself
Cybersecurity expert Jordan M. Schroeder says that it isn’t easy to protect against cybersecurity incidents, particularly as they become more complex.
“I don’t see these things as ‘failures’. Information technology is extremely complex, multi-layered, and constantly mutating,” he said.
“No one can know a system completely from end-to-end, and if they are somehow able to, then that knowledge gets old very quickly as the system evolves.”
Large organisations are likely to have more vulnerabilities in their cybersecurity defences due to their size, but even small and well-prepared companies can become victims of data breaches.
In early August, cybersecurity training organisation the SANS Institute announced it had suffered the loss of 28,000 items of personally identifiable information (PII) after a phishing attack.
In a statement, the company said: “On August 6th, as part of a systematic review of email configuration and rules we identified a suspicious forwarding rule and initiated our incident response process.
“This rule was found to have forwarded a number of emails from a specific individual’s e-mail account to a suspicious external email address. The forwarded emails included files that contained some subset of email, first name, last name, work title, company name, industry, address, and country of residence.
“SANS quickly stopped any further release of information from the account.”
Schroeder continued: “What these breaches show is the depth and complexity of the problem facing every company. The size of the breaches is also an indication of the inherent risks involved.”
“I’m not saying that the problem is too big to fix, just that no one can create and maintain a perfect system. Especially if the company also wants to evolve, adapt, and innovate.”