During the first half of 2018, “mega breaches” involving one million compromised records or more entered the cybersecurity lexicon, exposing the records of more than 100 million people and threatening consumer trust. Now, as we approach the end of the year, the world’s largest hotel chain is set to shatter consumer data breach records. On Friday, Marriott revealed that the private information of up to 500 million guests who made reservations from 2014 to September 2018 may have been accessed as part of a breach of its Starwood guest reservation database.
The information includes names, mailing and email addresses, phone numbers, passport number, Starwood Preferred Guest account information, dates of birth, gender detail, and more. Affected properties include Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Elements and the Luxury Collection. Those who have stayed at these properties should change rewards account passwords as well as the passwords on accounts that might share that password, and regularly review their credit card activity.
While it is early days in the breach investigation and it is important to note that the number of affected guests is not yet known (it is unclear if 500 million indicates the potential number of reservations, or individual people involved), reaction has been swift and strong. Within hours of Marriott’s announcement, two lawsuits seeking class-action status were filed, seeking damages of $12.5 billion in costs and losses. Additional lawsuits against Marriott are expected to be filed in the coming months, and politicians are speaking out.
“Clearly the current status quo isn’t working — the Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information. Until companies like Marriott feel the threat of multi-billion dollar fines, and jail time for their senior executives, these companies won’t take privacy seriously.” – U.S. Senator Ron Wyden of Oregon
What can companies do to advance their security posture as we head into 2019?
One thing is clear: in today’s threat landscape cybersecurity is not just about protecting data, it’s about neutralizing potentially devastating attacks that can literally bring an organization down. Ad hoc security infrastructures cobbled together with disparate point solutions are ineffective; modern enterprise defense requires an integrated ecosystem.
Safeguarding information across every control point and attack vector requires us to raise the productivity of security engineers and arm ourselves with the tactical, operational and strategic insights we need to understand how we are being targeted, so we can invest in—and integrate—the right set of countermeasures.
We can achieve this by taking an innovative approach to the fundamental elements of effective security:
- Infrastructure security
- Data and application security
- Intelligence and analytics
- Threat and vulnerability management
- Identity and access management
- Program strategy and operations
The sooner you can build programmatically in these areas, the more protected you and your customers will be. Find out how to start orchestrating solutions and advancing your overall security posture in our new eBook, Transforming Enterprise Cybersecurity.