Second Marriott international data breach risk management was not a priority

April 16, 2020

It was only 18 months ago that the hotel chain Marriott International, parent company of world-renowned hotel brands such as Le Méridien and Sheraton, was subject to one of the biggest data breaches in corporate history.

Cyber criminals managed to steal the records of 339 million Marriott International guests, including personal data such as credit card details, passport numbers, addresses, phone numbers, reservation preferences and dates of birth – a major breach of data privacy.

Such a significant data breach attracted the attention of the Information Commissioner’s Office (ICO), which issued a £99.2m fine for Marriottrelating to breaches under the General Data Protection Regulation (GDPR).

One might think that given the size and scale of both the data breach and the subsequent fine, Marriott International would have prioritised risk management and cybersecurity from that point onwards. Yet just a few weeks ago, the company revealed that 5.2 million of its customers had their information accessed – isanother major breach an example of a failure to prioritise risk management?

GDPR non-compliance is a significant risk

GDPR has been in force for almost two years now and has been a real shot across the bows of organisations that hold data on EU citizens but do not look after it effectively. The sheer size of the fines that have been issued is one factor, but also the willingness of data protection authorities to issue and enforce penalties to the biggest organisations.

Marriot International certainly falls into that category, which makes it even harder to understand why it did not tighten its risk management strategy and risk management software after the initial data breach.

Thatoriginal data theft had begun in 2014 and had been allowed to continue undetected until 2018, and with30 million of the hacked guest records related to residents of the EU, it was always going to be a landmark case. Non-compliance of GDPR (and other regulatory compliance) should be included in any organisation’s risk management planning and mapping, so that risk can be managed and mitigated.

If that organisation is using an integrated IT GRC tool then it can also adopt measures that will help ensure that all data coming into the business is managed effectively and provide that reassurance is compliance. Marriott International almost certainly would have had such GRC software in place, but something went wrong for such a large further breach to occur.

Risk management software and mitigation of data breaches

The most recent Marriott International data breach was revealed in March 2020, in a company-issued statement. The data stolen in this instance included detail such as name, postal and email addresses, phone numbers, Bonvoy loyalty card balance, date of birth, linked loyalty scheme information from other companies.

This latest breach began in mid-January and was only discovered and halted by the end of February, which also suggests that a breakdown in the system had occurred somewhere along the line. It then took a further month to begin notifying the customers that had been breached.

Although many organisations ensured they were compliant with GDPR on paper, it would appear that a number of practical cybersecurity measures were overlooked. The second Marriott International breach came viathe login credentials of two employees at a franchise property, which feels like it could and should have been avoidable.

Investing in the right risk management software, whether as part of integrated GRC software or a standalone system can help manage cybersecurity risk much more effectively. Oxial’ssGRC solution is one such IT GRC tool, coming with a range of features that help organisations assess and manage risk, including the significant threat that comes from cyber-attack and data breaches.

GDPR penalty reprieve does not mean a relaxing of risk management

A recent (April 2020) update from the UK ICO has revealed that the fines issued to both Marriott International and British Airways for data breaches are to be deferred pending further investigation. Both firms have already seen one extension in January 2020 which expired at the end of March 2020, and this latest reprieve has led some observers to question whether the lack of enforcement could encourage other organisations to be less stringent in their risk management strategies.

However, the reality is that these latest reprieves are as much a reflection on the current world situation with coronavirus as anything else. Both tourism and travel have been among the industries hardest hit, and there isn’t much sense in enforcing such major fines until the industries have bounced back a little.

Furthermore, the penalty is just one risk that comes with data breaches and subsequent non-compliance with GDPR. Tourism is a competitive industry even during normal times, and the long-term brand repercussions for Marriott International are yet to be known. Once the industry returns to normal after the coronavirus has passed, how many guests might decide that they would rather stay in a hotel that takes their data privacy seriously?

Cybersecurity should be treated as part of an overall risk management strategy and that is very much the approach Oxial uses. For more details on our risk management software, feel free to contact us here.