As more and more data is received by companies every second it is vital for them to protect their customers at the highest level. Even the biggest tech giants did not avoid the failure: Google, Facebook But there is another field that receives tremendous amounts of very private information - hotels Let's discover how Marriott has overcame one of the biggest data 'leakages' in the history Or it hasn't?

1. Marriott: the cyber attack victim or
poor data protector?
By Kateryna Dalakova
MKM MMT
Seneca College
2019-06-05

2. Table of
Contents
● Background
● Comparison: Marriott vs
Huazhu Hotels Group
● Consequences
● Recommendation for hotel
visitors

3. Background

4. The biggest Data Breaches in the 21st century where from 22 M up to 3 BN of customers were
compromised proves that companies are still weak in protecting personal information
● In 2018, Marriott was on the second
place after the Yahoo data breach (3
BN). In 2019, Marriott took the third
place after the Facebook-Cambridge
Analytica Scandal (over 540 million
records were exposed, according to
TechCrunch )
● Marriott first revealed it had suffered a
massive data breach affecting the
records of up to 500 million customers
on 30 November 2018 while the data
have been stolen since 2016 (
O’Flaherty, Forbes )
Despite the newest data protection practices, Big
companies are still sensitive to the consequences of
data breaches: more customers - higher expectations
and requirements

5. In 2017 companies started to spend 20% more of their budget on cyber crimes compared to 2016
Costs
● 100,000 groups in at least 150 countries and more than
400,000 machines were infected by the Wannacry virus in
2017, at a total cost of around $4 billion. (Malware Tech
Blog)
● The average cost of a malware attack on a company is $2.4
million (Accenture)
● In companies with over 50k compromised records, the
average cost of a data breach is $6.3 million (Ponemon
Institute’s 2017 Cost of Data Breach Study)
● Damage related to cybercrime is projected to hit $6 trillion
annually by 2021 ( Park, Cybersecurity Ventures )
● The average cost per lost or stolen records per individual is
$141 — but that cost varies per country. Breaches are most
expensive in the United States ($225) and Canada ($190) (
Ponemon Institute’s 2017 Cost of Data Breach Study )
Risks
● Nearly half of the security risk that organizations face
stems from having multiple security vendors and
products (Cisco)
● Ransomware detections have been more dominant in
countries with higher numbers of internet-connected
populations. The United States ranks highest with 18.2
percent of all ransomware attacks ( Symantec )
● Most malicious domains, about 60 percent, are
associated with spam campaigns. (Cisco)
● 74% of companies have over 1,000 stale sensitive files.
(Varonis)
● In 2017, spear-phishing emails were the most widely
used infection vector, employed by 71 percent of those
groups that staged cyber attacks ( Symantec )
● The most expensive component of a cyber attack is
information loss, which represents 43 percent of costs
(Accenture)
● Ransomware attacks are growing more than 350 percent
annually. (Cisco)
● A business will fall victim to a ransomware attack every
14 seconds at that time. ( Park, Cybersecurity Ventures )

6. There are 5 most important facts in Marriott data breach; the weakest side of Marriott are
resolving conflicts and health check for the cyber security frauds
Starwood Acquisition
Starwood guest reservation database
was affected, which Marriott acquired
when it bought Starwood and its 1,200
properties in 2016 for $13 billion.
(Whittaker, TechCrunch )
The disadvantage of the 3rd
party
Marriott sent its notification email from
“email-marriott.com,” which is registered
to a third party firm, CSC, on behalf of the
hotel chain giant. But there was little else
to suggest the email was at all legitimate
— the domain doesn’t load or have an
identifying HTTPS certificate.
Also did not consider consider the
cybersquatters (register lookalike
domains) ( Whittaker, TechCrunch)
Credit Cards
8.6 million unique payment card numbers
were taken, but only 354,000 cards were
active and unexpired at the time of the
breach in September. “No evidence” to
show that the hackers stole the keys
needed to decrypt the data ( Whittaker,
TechCrunch )
385 Million of unique guests data
stolen
Hotel giant still can’t yet give a more precise
number of customers whose data was stolen
Passport Data
5 million unencrypted passport
numbers were stolen, on top of the
more than 20 million encrypted
passport numbers ( Whittaker,
TechCrunch )
05
01
02 03
04

7. 60% medium businesses experience cybersecurity attacks more frequent compared to big ones,
large companies usually deal with the loss in an inadequate way
● Marriott communicated the problem too late,
via third party company and did not include
any reasons for their economical damages
into the 10-Q report (covered only in 8-K
Annual Report) ( Rajgopal, Gezer, HBR )
● The current board has 13 members but none
of them has a cyber security or deep
technology background. Marriott does not
have a dedicated cyber risk committee.
( Rajgopal, Gezer, HBR )
● Starwood now uses database and software
of Marriott which was not affected after the
breach has occured.
Marriott ignored procedures which were necessary
for the implementation, which appeared as the
main cause of the breach
Cutting off the
acquisition
costs
Poor issue
disclosure Board needs
more expertise

8. Comparison: Marriott vs
Huazhu Hotels Group

9. Huanzhu Hotels Group strategy of disclosing the issue and speed of action outperformed Marriott
Huazhu Hotels Group
Background:
Affected 130 Million of customers
500 million pieces of guest related
information
Strategy:
2 news releases were launched:
1st - reassured its commitment to
consumer protection and privacy;
2nd - additional details on the
progress of the police investigation,
including the arrest of suspects
linked to the hack and whose
attempted sale of consumer data
“was not successful.” (Hotel News
Now )
Marriott
Background:
Acquired the chain which contained
a cyber fraud
Affected 300 Million of customers
500 million pieces of guest related
information
Strategy:
Email sent to the customers who
were affected via the 3rd party
company
● HHG - leading and fast-growing
multi-brand hotel group in China.
Founded in 2005, HUAZHU has
been ranked as the 12th largest
hotel group globally. The group
currently owns and operates over
3,000 hotels across over 350
cities in China, providing business
and leisure travellers with
high-quality, and
conveniently-located hotel options
from upscale to economy.
(AccorHotels )

10. What Marriott could have done differently?
There is no executive in Marriott’s Board who have
an IT background, which put the company into the
repetitive cyber risk
Organize the cyber
security department with a
CISO
Primary system ‘cleaning’
and health check of
Starwood
Register and secure the
original unique domain
without intermediaries
Maintain monthly the deep
security health check
procedures
● To avoid further cyber security
issues, Marriott first of all needs
to hire the professional CISO who
will manage:
- Security operations
- Cyber risk and cyber intelligence
- Data loss and fraud prevention
- Security architecture
- Identity and access management
- Program management
- Investigations and forensics

11. Recommendation for
hotel visitors

12. 6 steps to follow after the information leakage
Change password and
monitor the suspicious
activity
Separate
credit card
for online
transactions
Limit the
information
you share
Be vigilant
Avoid
saving card
info on
websites

14. Works Cited
● @MalwareTechBlog. ‘The latest unique IPs count from the WannaCry sinkhole is 416,989’. Twitter, 19 May 2017, 7:50 p.m.
twitter.com/reallyvirtual/status/64780730286358528?lang=en.
● O'Flaherty, Kate, ‘Marriott CEO Reveals New Details About Mega Breach’. March 2019.
https://www.forbes.com/sites/kateoflahertyuk/2019/03/11/marriott-ceo-reveals-new-details-about-mega-breach/#447ed564155c. Accessed on June 4
2019
● Park, Menlo. ‘Cybercrime Damages $6 Trillion By 2021’. Cybersecurity Ventures. 2017.
https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/ . Accessed on June 4 2019
● Rajgopal, Shivaram; Gezer,Bugra. ‘The Marriott Breach Shows Just How Inadequate Cyber Risk Disclosures Are’. March 2019.
https://hbr.org/2019/03/the-marriott-breach-shows-just-how-inadequate-cyber-risk-disclosures-are. Accessed on June 4 2019
● Whittaker, Zach:
- ‘Researchers find 540 million Facebook user records on exposed servers’. April 2019.
https://techcrunch.com/2019/04/03/facebook-records-exposed-server/ . Accessed on June 4 2019
- ‘Marriott now says 5 million unencrypted passport numbers were stolen in Starwood hotel data breach‘.January 2019.
https://techcrunch.com/2019/01/04/marriott-five-million-passport-numbers-stolen-starwood/. Accessed on June 4 2019
● AccorHotels. 2016. https://www.accorhotels.com/gb/brands/hotels-huazhu.shtml. Accessed on June 4 2019
● ‘Cisco Benchmark Report 2019’, Cisco Inc. 2019. https://www.cisco.com/c/en/us/products/security/security-reports.html . Accessed on June 4 2019
● ‘Internet Security Threat Report’, Symantec. 2018
http://images.mktgassets.symantec.com/Web/Symantec/%7B3a70beb8-c55d-4516-98ed-1d0818a42661%7D_ISTR23_Main-FINAL-APR10.pdf?aid=elq_ .
Accessed on June 4 2019
● ‘Global Data Risk Report’. Varonis. 2018. https://info.varonis.com/hubfs/2018%20Varonis%20Global%20Data%20Risk%20Report.pdf. Accessed on June 4
2019
● ‘2017 Cost of Cyber Crime Study’. Accenture. 2017. https://www.accenture.com/us-en/insight-cost-of-cybercrime-2017?src=SOMS . Accessed on June 4
2019
● ‘2017 Cost of Data Breach Study’.Ponemon Institute. June 2017.https://www.ibm.com/downloads/cas/ZYKLN2E3. Accessed on June 4 2019