Incident of the Week: Marriott Phishing Breach
Tuesday, March 31st hotel giant Marriott experienced its second breach in three years, this time affecting up to 5.2 million of its guests.
The breach originated from a franchise hotel that operates under the Marriott brand. Unknown individuals used the log-in credential of two employees at the hotel to access the guests’ information.
The exposed information consisted of basic contact details and personal identifying information, such as birthday, gender and employer, as well as loyalty member data and travel information, including hotel and room preferences. Marriott said it “has no reason to believe” payment data was stolen.
Although most of Marriott’s data breaches happened to its franchises, Mark Sangster, vice president of security firm eSentire told Wired that businesses must secure not only their own data-bases but also those of their partners, contractors, and franchisees.
Sangster rated the attack serious enough in that cyber criminals could use the data for phishing campaigns that would be extremely difficult to detect.
See Related: The Aftermath Of The Massive Marriott Data Breach
Furthermore, Marriott had delayed in detecting and reporting the breach. It took them a month to do so and still later for the international hotel chain to notify its affected guests. This gave the hackers around six weeks to harvest the data.
Last, Marriott has accumulated a history of scrimping on its cyber security duties.
This was after all, Marriott’s second data-hacking disaster.
Marriott's History With Data Breaches
Marriott’s first data breach - far worse - occurred two year ago with Starwood hotel, a subsidiary of Marriott, when its central reservation system was hacked. The case gained notoriety as one of the top five hacking breaches in history, where Starwood hackers ran off with data that included passport numbers and credit card information from more than half a billion people.
European authorities fined Marriott $124 million.
In all, Marriott shows a pattern that displeases officials like John Burns, president of Hospitality Technology Consulting.
“People trust us to allow them to sleep safely and securely,” Burns told Bloomberg following Marriott’s 2018 incident. “There’s a longstanding tradition of an innkeeper, that we fulfill that commitment to them. Has it extended naturally, with the same diligence, to the digital environment? Not always.”
This time, Marriott tried to remedy the situation by informing relevant authorities and launching an investigation. It offered affected US residents a year of free personal monitoring from IdentityWorks and replaced current passwords to its benefit programs with a two-factor authentication system.
Phishing scammers use social engineering techniques to motivate people to enter sensitive information, such as credit card details and login credentials, or, if they’re employed, confidential company details. For example, criminals, masquerading as a well-known company, may ask you for billing information in order to receive a refund. You’re directed to a fake site, where your information is used for identity theft.
Other scammers use more sophisticated methods such as tricking users into installing ransomware or malware, or using fake social media profiles to build up a connection with targeted individuals. Thousands of organizations and businesses are impacted each year, according to the FBI. Famous victims include the Democratic National Committee and MacEwan University in Alberta, Canada.
Scammers exploit information for identity theft, money or blackmail, among other nefarious ends.
The FBI estimates that the impact of phishing costs US business around $5 billion a year.
How Companies Can Avoid Phishing Scams
There are certain give-away signs that indicate phishing tricks. These include poor spelling and grammar; shortened or odd URLs in phishing emails; a strange or mismatched sender address; and a message that looks too good to be true.
The IEEE Computer Society cites training as the best form of prevention. Teach your staff to recognize the identifiers of hacks. On a technical level, prevent phishing emails from sending you malicious payloads by disabling macros from running on your computer network.
Had the Marriott Hotel done that, they would have saved themselves considerable expense. They would have also refrained from entrenching their dubious reputation as a hospitable place for hackers.