Peterson Sullivan’s IT Risk team knows the importance of keeping up to date on emerging vulnerabilities – and we want you to be informed, too. That’s why we’re compiling some of the biggest news pieces to emerge on the cybersecurity front. We’ll share these regularly, along with our take on what might have reduced the consequences.
Target: Marriott International Inc.
Details: Personal information, including passport numbers, reservation dates, payment card information, addresses, and more, has been exposed to unauthorized access since as early as 2014. Marriott has stated this has affected up to 500 million customers who have reserved or stayed at any of its Starwood properties, such as the Westin, W Hotels, and Sheraton Hotels & Resorts.
On a web page dedicated to explaining the breach, Marriott details forensic investigational response efforts, and offers affected guests some identify theft monitoring as well as a fraud loss reimbursement benefit “for out‑of‑pocket expenses totaling up to $1 million in covered legal costs and expenses for any one stolen identity event” and consultation support from a third‑party risk management and response provider. Further consequences include pending investigations by the New York Attorney General’s office, potential large fines if GDPR violations are found, and class action lawsuits. Senator Ron Wyden (D‑OR) has put it bluntly: “The Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information. Until companies like Marriott feel the threat of multibillion‑dollar fines, and jail time for their senior executives, these companies won’t take privacy seriously.”
20/20 hindsight: We don’t know yet how the attackers got in, but that doesn’t mean the damage was inevitable. It appears that hackers had access to the system for an unusually long period – up to four years – creating what’s known as an APT (Advanced Persistent Threat). Proper detective controls, like monitoring for unusual traffic, may have helped the company identify and respond to the attack much earlier.
PS provides holistic assessments to help map the current state of your controls, define security goals, and identify and manage risks. Our role as cybersecurity consultants isn’t just to check boxes on a one‑time list. Instead, our experts provide you with the tools for continuous improvement, so you can protect your organization today and in the future. For more information, please contact IT Risk Manager, Maddie Hall.