This case study showcases how important it is to have an individual within your organization who is willing to instruct and supervise affiliates on security best practices. If companies do not have individuals who are willing to accomplish these tasks, significant damages can occur. These damages can include financial damages, decline in brand reputation, and dissatisfied customers.
Marriott is one of the largest chains of hotels and is known nationwide. However, even the largest businesses are vulnerable to cyber threats. Marriott hotels experienced a significant cyber breach that was identified in 2018. However, this breach dated back to 2014 with a separate company called Starwood. Marriott’s acquisition of Starwood resulted in compromised customer data. This caused significant financial repercussions including legal fees and reputational damages (Young, 2021). The damages were estimated to be approximately $23.8 million in penalties (Hollander, 2023).
The initial contact of the data breach did not originate with Marriott, however. It originated with Starwood. “In 2014- 2 years before the acquisition of Starwood, their company guest reservation system was infiltrated by a remote access trojan (RAT)” (Young, 2021). “A RAT (remote access trojan) is malware that an attacker uses to gain full administrative and remote control of a target computer” (Yasar, 2022). There are various ways a cybercriminal can exploit vulnerabilities with a remote access trojan. Cyber criminals can deploy these attacks through exploit kits, phishing emails, download packages, web links, social engineering etc. (Yasar, 2022).
Starwood was using an outdated version of Windows servers across their system, leaving their remote access protocol ports open to the internet (Young 2021). Any company that is using outdated servers or applications is at risk of being exploited by cybercriminals. Companies should ensure that all their systems are up to date to avoid threats that can be exploited by cybercriminals. This exploitation of the outdated version of Windows allowed the cybercriminals to enable backdoor access to their systems and remain unnoticed.
The cybercriminals hid in the shadows of Starwood’s system for years. In 2016, they remained in their system as the acquisition of Starwood by Marriott Hotels was finalized. The acquisition of Starwood allowed Marriott the opportunity to find the exploitation before merging devices into their systems. However, Marriott failed to complete a detailed cybersecurity audit of Starwood’s networks and systems (Young, 2021). This allowed for the cybercriminals to remain undetected throughout the entire acquisition process. Marriott should have completed a detailed assessment of Starwood’s systems to mitigate the threat, especially since Starwood was notoriously known for having insecure reservation systems (Hollander, 2023). Marriott began to transfer information from Starwood devices to their own. The information transferred included names, addresses, phone numbers, email addresses, passport numbers, and credit card numbers (Young 2021).
In 2018, Marriott discovered that their systems had been breached through a security alert. Marriott hired forensics specialists to launch an investigation and reported the incident to law enforcement (Young, 2021). By late 2018, Marriott came out and publicly stated that their systems had been compromised, resulting in the loss of private data for nearly 500 million customers around the world.
Marriott suffered millions of dollars in damages that could have easily been avoided. Starwood should have implemented proper safeguards for their remote desktop protocol ports (Young 2021). In addition, they should have been aware that their systems were outdated and needed security updates. However, Starwood was widely known for their shortcuts in cyberspace, and Marriott should have been aware of that. Marriott, however, did not consider that their systems could have been compromised during the acquisition. This lack of effective security and threat detection allowed the remote access trojan into their systems.
The breach of Marriott systems just goes to show that a company of any size can fall victim to a cyber-attack. Therefore, companies need to ensure that they have up-to-date systems, effective security and threat detection systems, and properly trained specialists to safeguard information. If a company shortcuts any of these security measures, the repercussions can result in millions of dollars lost in legal, recovery, and reputational damages.
References:
Hollander, J. (2023, February 16). Marriott Data Breach FAQ: What really happened? – hotel tech report. Hotel Tech Report. https://hoteltechreport.com/news/marriott-data-breach.
Young, K. (2021, November 1). Cyber case study: Marriott Data Breach. CoverLink Insurance – Ohio Insurance Agency. https://coverlink.com/case-study/marriott-data-breach/.
Yasar, K. (2022, October 20). What is a rat (Remote Access Trojan)? Definition from
TechTarget. Security. https://www.techtarget.com/searchsecurity/definition/RAT-remote- access-Trojan.