In today’s highly digitalized world, almost every company is at risk of various cyber threats. The storage of customers’ and employees’ personal data, technologic reliance, and operational services can be compromised (Guide to cyber liability insurance, 2019). In response to the need to protect organizations from these risks, a cyber insurance market emerged. In the case of Padgett-Beale, it is evident that the company lacks preparedness for data breaches, lacking strategic response plans (Gressin, 2018). The business needs a properly designed and implemented cyber policy since it ensures the protection of network security, privacy and media liability, and comprehensive incident response (Burke, 2020). This paper aims to critically evaluate data breaches in Starwood Hotels based on information from court findings and reports to provide relevant recommendations for implementing as a part of an effective data breach response policy.
Overview of Data Breaches
Marriott is one of the biggest companies in the hospitality industry, integrating 7,300 hotels under 30 brands in more than 120 countries around the world (Gressin, 2018). The company released information about its data breaches in 2018, but the first episodes began in 2014. As stated by the Information Commissioner’s Office (ICO), 339 million guests were exposed to data leakage, namely, their mailing addresses, passport numbers, email addresses, gender, arrival and departure dates, and phone numbers were stolen (Nohe, 2019). Marriott also warned that hackers could obtain information about the bank cards of some clients.
The information about those who initiated this data leakage is not available, but probably it is not disclosed publicly. The Commissioner’s Office states that Marriott has made the necessary security improvements. Namely, to show responsibility for this incident, Marriott decided to create a dedicated website and call center to answer customers’ concerns. However, Nohe (2019) mentions that there is a risk of choosing a third-party website that fishes personal information. Therefore, it is critical to go to the correct website to check whether one was affected or not.
Court Case and Government Findings
The key reason for this vulnerability is associated with a lack of attention to the due diligence compliance that should have been conducted when Marriot bought Starwood Hotels (Statement: Intention to fine Marriott, 2019). Marriott failed to ensure data safety, which resulted in massive data breaches. As for the victims, 30 million guests were residents of 31 countries of the European Economic Area, and 7 million were residents of the UK. Payment information of some hotel guests also leaked, although Marriott did not disclose the number of such records. A significant failure is that the information about the means of payment was encrypted, but the components needed to decrypt it were also stolen.
The ICO investigation revealed that Marriott did not take the necessary technical and organizational measures to guarantee the security of personal data managed by its computer systems. As a result of this data breach in 2019, the UK Data Protection Authority, the ICO, fined this major hotel chain. Under the General Data Protection Regulation (GDPR), Marriot could be fined for more than £99 million, but it was £18.4 million, while the expenses accounted for more than £50 million (Nohe, 2019). The court decided that Starwood Hotels failed to properly assess cybersecurity deficiencies in terms of due diligence. Still, the consequences of this data leakage are not fully evaluated since new incidents may occur without elaborate cyber liability insurance.
Also, Martin Bryant, a founder of Big Revolution, filed a class-action suit in the High Court of London, which was attended by people who stayed at the Starwood Hotels in the UK. They act under the UK Data Protection Act and the EU’s 2016 General Data Protection Regulation, while the amount of the requested compensation for damage is not disclosed (Errick, 2021). In 2020, it became known about a new leak of data about Marriott customers, which affected 5.2 million hotel guests managed by the company. This recent incident shows that the company did not improve its cybersecurity system after the previous attacks. During the court investigation, the hotel chain was “accused of negligence, negligence per se, breach of contract, breach of implied contract, breach of confidence, and deceptive and unfair trade practices” (Errick, 2021). However, the court concluded that the plaintiffs failed to demonstrate the facts that confirm Marriott’s cybersecurity breach.
Best Practice Recommendations
Based on the review of the data breaches and associated vulnerabilities, it is important to stress that people should be considered as one of the key assets. Only if all the employees are committed to organizational security, a company can succeed. In this connection, the first recommendation is to provide employee training to keep them aware of the recent trends in data security and encouraging them to contribute to business integrity (Li et al., 2019). Proper training would make sure that employees can recognize and address cyber threats by using safe passwords, reporting timely, and protecting sensitive information.
The policy of constant vigilance can be recommended since cyber-attacks remain dynamic, including their methods, types, sources, and technology. Accordingly, not only current disruptions should be studied and addressed, but also potential attacks should be anticipated. Such a policy would allow businesses to become less vulnerable. Constant vigilance is especially important in the period of the COVID-19 pandemic when many employees have to work remotely, having no or little protection from malicious actions (Scroxton, 2020). Another policy that is worth recommending is strategic planning of threat models and the subsequent development of response measures (Statement: Intention to fine Marriott International, 2019). For example, since customers’ information was accessed via employees’ accounts in the case of Marriott, it is possible to recommend monitoring suspicious employee account behaviors, such as volume of data accessed or scope of access. This policy would integrate the system and human factors to better protect businesses.
In consistence with the constant vigilance policy, a process of cyber-attack simulation can be adopted. For example, the worst-case scenario can be developed to allow the IT team better understand what they should do (Guide to cyber liability insurance, 2019). Such a process would be useful for the company to avoid lawsuits and regulatory inquires. Moreover, it would allow keeping customers loyal since the authority of the company would not be compromised. As a part of scenario creation, roadmaps can be simulated to identify specific steps to be taken in case of cyber threats (Scroxton, 2020). Namely, the responsible persons, certain actions, and many other details should be determined in advance to minimize negative outcomes. Incident reporting is one more critical process that should be implemented by businesses since it took several years for Marriott to recognize its vulnerability. If it would report earlier, the reaction of the regulatory bodies and the public might be different.
As for technology, Marriott and Padgett-Beale should adopt a two-factor or multi-factor authentication (MFA). Anakath et al. (2017) state that it is an advanced access control mechanism that implies two or more aspects to be involved to reach the necessary data. Among the factors that can be set, there are identity confirmation, specific questions, and ownership, which need to be clarified before the system provides access (Scroxton, 2020). The MFA can be used for cloud databases as well, and it makes them a universal protection method. In the case of Marriott, customers can be invited to provide their biometric data as an additional step of security. In addition, the attempts to access sensitive information from suspicious locations should be blocked by the system until a customer verifies his or her identity in the process of MFA.
Conclusion / Summary of Recommendations
To conclude, this paper explored the concept of cybersecurity insurance, covering network security, business interruption, errors, and media liability. The analysis of Marriott’s customer data breach revealed that a lack of compliance with due diligence after buying Starwood Hotels resulted in millions of compromised passport and phone numbers, mailing and email addresses, and other hotel stay information. The company was fined £18 million, but the data leakage occurred again, which shows the insufficiency of response measures. Therefore, it was recommended for Marriott and Padgett-Beale to initiate employee training, engage in constant vigilance and strategic planning policies, practice cyber-attack simulations, and adopt MFA. Most importantly, there is a need to implement a combination of response efforts to ensure comprehensive business protection.
References
Anakath, A. S., Rajakumar, S., & Ambika, S. (2019). Privacy preserving multi factor authentication using trust management. Cluster Computing, 22(5), 10817-10823.
Burke, D. (2020). Cyber 101: Understand the basics of cyber liability insurance. Web.
Errick, K. (2021). Court dismisses Marriott data breach suit for lack of standing. Web.
Gressin, S. (2018). The Marriott data breach. Web.
Guide to cyber liability insurance. (2019). Web.
Li, L., He, W., Xu, L., Ash, I., Anwar, M., & Yuan, X. (2019). Investigating the impact of cybersecurity policy awareness on employees’ cybersecurity behavior. International Journal of Information Management, 45, 13-24.
Nohe, P. (2019). Autopsying the Marriott data breach: This is why insurance matters. Web.
Scroxton, A. (2020). What we can learn from Marriott’s new data breach embarrassment. Web.
Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach. (2019). Web.