The hotel giant Marriott confirmed a new data breach, this time involving the personal information of 5.2 million guests.
According to an online notice that Marriott posted on Tuesday, the attack was carried out via a third-party software that Marriott’s hotel properties use to provide guest services.
Marriott discovered the breach in late February. The hackers obtained the login credentials of two employees and broke in weeks earlier, in mid-January.
While Marriott said it has “no reason” to believe payment data was stolen, data like names, addresses, phone numbers, loyalty member data, dates of birth and other travel information were stolen in the breach.
The hotel giant also is forcing password resets for Bonvoy loyalty club members, who will also be prompted to enable multi-factor authentication on their accounts.
This is the Second Marriott breach in two years
This was not the first time that Marriott experienced a data breach. Back in 2018, Starwood, a subsidiary of Marriott, was hacked and personal data and guest records on 383 million guests were exposed.
The data included five million unencrypted passport numbers, in addition to more than 20 million encrypted passport numbers.
Passport numbers can be used for identity theft and to commit fraud. They are also data that remains highly valuable for spy agencies. Spy agencies can use the information to track down where government officials, diplomats and adversaries have stayed. This gives insight into what would ordinarily be clandestine activities.
Marriot also stated that 8.6 million unique payment card numbers were stolen, but only 354,000 cards were active at the time of the breach.
According to the statement by the company, there is no evidence the hackers stole the keys needed to decrypt the data, but did not say how they came to that conclusion.
The company said the contents of the stolen data were from the Starwood guest reservation database. Marriott acquired the database when it bought Starwood and its 1,200 properties in 2016.
Starwood’s security lapse became the largest data breach that year, and remains one of the most damaging hacking incidents in recent history.
In response to that breach, European authorities fined Marriott $123 million.
5 Common Causes for Data Breaches That Businesses Should Watch Out For
We compiled this list to help organizations prepare and prevent a breach like the one described above.
No business wants to deal with the blot on its reputation and the huge loss of money that follows a data breach. In order to create a robust data security and network security strategy, it’s important for you to understand what causes a data breach in the first place. Here is a list of some of the most common causes behind data breaches you should watch out for:
- Software or Network Vulnerabilities
- Accidental Employee mistake
- Malicious Misuse by Employee
- Malware attack
- Failure in Security of a Physical Device
Software or Network Vulnerabilities
Any software vulnerability that isn’t patched as soon as it is discovered is a convenient target for hackers. Make sure to test your software and find those vulnerabilities before the hackers do. If you can’t find the time or resources to test the software manually, use an automated application security testing solution like NexPloit or NexDAST.
Also please stay away from pirated software. While the fact that pirated software is illegal should be a reason enough to avoid it, what makes it even worse, it may contain all kinds of malware.
Since the network acts as a layer of protection, any faults in the network design or deployment could also lead to a data breach.
Accidental Employee mistake
From falling for a phishing scam to losing important documents containing confidential information, there is a wide range of mistakes that employees can make, causing a data breach. Lack of proper cybersecurity training as well as of stringent security policies can be blamed for these employee mistakes.
Malicious misuse by employee
Unlike the unintended employee mistakes, malicious misuse by an employee indicates something much more serious. Someone from the inside is intentionally sharing confidential business information for some sort of personal benefit. This cause of a data breach is extremely difficult for an organization to foresee. Defining clear user roles and setting suitable permissions for data and system use can help control access an employee has over business data.
Malvertisements and phishing are among hackers’ favorite ways of spreading malware. Malware attacks can quickly progress from its origin system, move into the network and infect other systems that come in its way. Installing an anti-malware software and keeping it updated is a must for any business. Educating employees about phishing and malvertisement is also essential.
Failure in security of a physical device
A data breach could also happen when a device is no longer secure; meaning the device is either lost or stolen. Those devices can be anything from a mobile device like laptop, smartphone, storage device, to servers. It’s not only important to keep the devices secure in the first place, but it’s also important to take extra measures, like encryption, for protecting the data on the device.
Stay safe out there!