It feels like only 18 months ago that international hotel group Marriott was subject to a data breach in which hackers stole the records of 339 million guests. That’s because it *was* only 18 months ago, and yet despite Marriott being fined almost £100m by the Information Commissioner’s Office (ICO) under the General Data Protection Regulation (GDPR), it has fallen victim to another significant data breach.
On 31 March 2020, the company issued a statement that revealed 5.2 million of its customers had had their information accessed via the login credentials of two employees at a franchise property. How could such a major breach happen so soon after the previous one?
Customers deserve better
After the previous data breach, one would have hoped that Marriott had really locked down its cybersecurity to ensure it didn’t happen again. So the news that the details of a further 5.2 million Marriot customers have been breached is alarming.
This type of data theft is becoming more and more commonplace, and data stolen in this instance included detail such as name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, date of birth, linked loyalty scheme information from other companies – this is all highly valuable in the wrong hands.
The fact that this breach began in mid-January and was only discovered and halted by the end of February is really not good. It then took a further month to begin notifying the customers that had been breached.
When people use a large hotel chain, they rightly expect their data to remain private and it’s almost a given that customer data security is a priority. Marriott will probably be looking at another large fine for this latest breach, but the long-term brand implications might be even worse. Once the travel and tourism industry begins to get back to normal after COVID-19 has passed, will this latest breach have an impact on which brand people choose to stay with?
The importance of process in cybersecurity
Cybersecurity is complicated and challenging against an ever-evolving threat, but an essential part of it is having the right processes in place – being able to identify breaches as soon as possible, taking measures to stop them and reporting them to the relevant authorities.
After the first breach, Marriott no doubt invested in cybersecurity technology and improved its defenses, but an organization’s defenses are only as strong as its weakest links. If employees weren’t fully trained or did not treat cybersecurity as a priority, then vulnerabilities can become more pronounced.
It feels like the right processes were not in place here. Given that Marriott International has already been fined £99M by the Information Commissioner’s Office (ICO) under GDPR for its previous breach, it is hard to understand why that was the case.
Successful cybersecurity is not just a question of investing in the latest software, it’s a combination of people, processes and technology working together. If an organization is lacking in any one of these three areas, then they will be vulnerable.