Marriott Agrees to $51 Million Settlement Following Data Breaches
Marriott International, in conjunction with Starwood Hotels, has agreed to a significant settlement of $51 million as a consequence of their inadequate protection of user data during a series of substantial data breaches. The financial penalty is set to benefit approximately 341 million individuals across all 50 states in the United States and is part of a broader agreement stemming from three separate incidents that occurred between 2013 and 2020.
In response to these data breaches, Marriott has committed to bolster its cybersecurity practices significantly. The company has pledged to compile a detailed report of its Information Security protocols and will submit this documentation to the Federal Trade Commission (FTC) for the next 20 years. This commitment includes annual third-party audits from an independent organization to assess compliance with these enhanced security measures.
Furthermore, investors and customers alike can expect the implementation of a vital feature that allows users to delete their personal information from their Marriott Bonvoy Loyalty Rewards accounts, as mandated by the FTC following a thorough legal review of the incidents.
Amid these developments, Marriott has faced additional scrutiny due to a recent cybersecurity incident involving hackers who reportedly accessed its database, extracting around 20GB of sensitive information, including guests’ credit card data. In contrast to its claims denying a breach in June 2022, it has come to light that an employee at the BWI Airport Marriott may have fallen victim to a social engineering attack, which potentially opened the door to this data compromise.
The incidents surrounding Marriott underscore the increasing threats facing the hospitality sector as data breaches become more pervasive. Events of this nature not only compromise sensitive customer data but also pose a significant risk to a company’s reputation and financial stability.
In terms of techniques and tactics that may have been employed in these data breaches, analysis through the lens of the MITRE ATT&CK framework reveals potential strategies such as initial access and social engineering. The initial access tactics suggest entry points exploited by adversaries may include phishing attacks that trick employees into revealing confidential information. Moreover, if the Morris breaches utilized social engineering, they signify a concerning increase in the sophistication of cyber-attacks where employees are manipulated into providing access to secure systems.
As the threats surrounding cybersecurity continue to evolve, businesses within the service industry must prioritize stronger security frameworks and responses to potential vulnerabilities. The Marriott incidents serve as an urgent reminder of the necessity for robust cybersecurity strategies and compliance protocols to safeguard sensitive consumer information against sophisticated cyber adversaries.
