The second Marriott breach: Should we care anymore?

News broke this week that Marriott International, the holding company for the Marriott chain of hotels, has suffered another data breach; this time it included the names, addresses, and social security numbers of 1,552 current or former employees. But, with all the major breaches that happen almost daily, this one can seem like back page news. As both professionals and consumers, our senses are dulled by the constant onslaught of multi-million record breaches. Even when it is a second offense for a company, our collective response can sometimes be “so what?”. And in this case, Marriott’s offense was for a relatively small number of employee records stolen through a third-party so it is tempting to give them a pass on this one and move on to the next bigger, more sensational incident. And social security numbers, while still sensitive, are not the keys to the “identity theft kingdom” that they once were, so maybe Marriott gets off the hook this time? Here’s why we shouldn’t do that.

An in-depth look at Marriott’s second strike

Suffering a second or even a third or fourth breach of a company’s system (as has happened with some companies like the Hard Rock Casino) says something serious about that firm’s ongoing security posture as well as their incident response and follow up. It also speaks to their general attitude towards security and privacy at the highest levels. Sure, lightning can strike twice and hit a well-secured enterprise twice. 

But usually, when there is a repeated pattern of breaches, even in different areas as this was, it hints at a deeper issue. These companies tend to lack an in-depth, overall information security strategy covering all parts of the enterprise, including partners and vendors. They aren’t practicing “secure by design” but rather a reactionary “fix it once it’s broke” approach. Often at these organizations, top-level security positions do not report up to the board or CEO, but rather are closeted under a functional department such as IT or operations. This means that known problems can go unfixed due to other budget priorities and issues. Plus, similarly to the ones Marriott had, they can be swiftly swept under the rug as soon as the forensic teams leave. I don’t know for sure that this happened at Marriott, but it has all the hallmarks of a not fully baked, enterprise-wide security strategy. 

Key takeaways

Also, there is a tendency when an incident is caused by a third party to blame the vendor. After all, they are the ones that got hacked, not the poor, victim company that collected your data!  They often issue press releases trying to wash their hands of it and implicating the third party as the bad actor. This is both disingenuous from a corporate responsibility standpoint and also typically statutorily irrelevant. We all use vendors these days that handle at least some of our customer’s data. Most regulations hold the collecting party responsible, regardless of how the information got out. If they are not diligent in putting in place solid, ongoing vendor management programs, using technical solutions, such as vendor privileged access management (VPAM), to secure vendor access, and following it up with good oversight and audit, then the company should be doubly guilty rather than absolved. 

Now that we are in the “mature” phase of cybercrime where it is an established “business model” and most businesses will be at least targeted if not victimized, there is no excuse for just assuming the worst won’t happen and hoping it doesn’t happen again if it does. We need to hold companies who collect and process our data accountable for what happens to it (and by implication us) when it falls into the wrong hands. Maybe this will be the wake-up call Marriott needs to get their house in order. Some breached companies learn from a breach and become more secure as a result and others end up back in the defendant’s docket as subjects of customers’ or employees’ lawsuits when it happens again. 

The post The second Marriott breach: Should we care anymore? appeared first on SecureLink.

*** This is a Security Bloggers Network syndicated blog from SecureLink authored by Tony Howlett. Read the original post at:

Tony Howlett

Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.

tony-howlett has 123 posts and counting.See all posts by tony-howlett