Sometimes It’s Just Not Enough

Sometimes as consumers we’ve taken all the previous advised steps. We switched to an encrypted browser, ran all the latest patches and only gave our information to those we trust. But what happens when that’s not enough? Victims of the Starwood/Marriott data breach learned this lesson firsthand.

As we all know locking your doors is not enough to deter intruders. Home security systems in the 21st century have put the focus on detection, monitoring, and fast response to steer intruders from break-ins. We believe that these steps could have also prevented the Starwood/Marriott breach.

The Marriott breach started in 2014 before the company acquired Starwood systems in 2016. Threat actors remained undetected in the system until 2018 when the company was finally notified. Detection is the first step to stopping the intruders. Over that 4 year period it was determined that numerous files were created and deleted. With 5.2 million guest records being stolen from their system.

Once detected, all within a couple of months, the company managed to identify and contain the incident but the damage was done. Had Marriott placed a focus on thoroughly monitoring the systems the intrusion could have been detected two years prior.

With that being said, the fault does not solely rely on Marriott. Starwood managed the infected system for almost 2 years before they handed it over to Marriott. Again, initial detection could have stopped the data breach before any harm was done. Companies must place a stronger emphasis on monitoring and protecting the data they store.