The hotel chain was hit by a cyber hack affecting 500,000 customers’ personal data. From IT security, due diligence to cyber insurance, risk managers draw out lessons for the future  

For any of the half a billion people who slept in a Marriott International hotel over the past five years, the theft of their personal data was perhaps the last thing they were worried about.

Until it happened.

In November the chain confirmed that a major hack took place affected 500,000 customers, with stolen data including sensitive information such as names, addresses, dates of birth and passport numbers.

Equally as worrying, Marriott – which runs around 6,000 hotels in 127 countries – said credit card details might also have been exposed.

It’s one of the most severe and high-profile data breaches in recent years, but by no means the only one. Other famous cases include the hack of the Ashley Madison a dating website and the 2013-14 Yahoo hack, which exposed 3 billion user accounts.

For the affected organisations, the impact of these breaches can be severe. Not only are there reputational consequences, but GDPR legislation can also mean hefty fines. And Marriott’s share price fell by 5% as the scale of the breach was revealed.

But while surveys suggest cyber is at the top of risk managers’ minds, these breaches keep happening.

Back foot on cyber

James Pothecary, special risks co-ordinator at risk management service provider, Healix International, said: “The Marriott data breach is an excellent example of how companies are on the back foot when it comes to cyber security.

“Despite unauthorised users accessing the guest reservation database of its Starwood subsidiary since 2014, the company only became aware of the breach in September last year.

“A time lag of four years between incident and detection demonstrates that even major multinational companies lack the sophisticated cyber security systems to mitigate the threat posed by hackers.”

Darron Gibbard, chief technical security offer, EMEA North, at IT security company Qualys, added: “This points out how difficult it can be to discover when attacks have taken place.

“Security teams have to look for items that are out of the ordinary, for example, a finance account trying to access network security servers or operations files when they would never normally need that data. These indicators of compromise can flag that there is an issue and help track down what is taking place.”

The fact it took so long for the hack to be noticed is all the more surprising given that Marriott only bought Starwood in 2016, two years after the attack.

Importance of due diligence

Danny Wong, former director of corporate risks for rival hotel chain InterContinental, said Marriott would have been prudent to look at Starwood’s IT infrastructure “to know whether there are any skeletons or viruses in the closet” before closing the $13bn acquisition.

“When doing due diligence in most transactions, I imagine the parties involved focused on financial cashflows, liabilities and contracts and considered motivation, other intangible factors in the negotiation and ultimate transaction value,” he said.

“This is akin to buying a house and asking for the cheapest or minimum survey required in order to secure a mortgage,” he added.

Wong, founder and chief executive of GOAT Risk Solutions, said cyber risks are so complex that even major corporates and governments can be exposed.

“We are now in a world where no one promises absolute protection but businesses, especially large ones.” Those firms, he said identifying tech companies in particular, value reputation and must be able to demonstrate strong controls.

He added: “The public are forgiving if you have done everything you can to prevent, communicate and apologise immediately and respond sensitively.”

But he notes that there must be a shift in attitude. “The media should help make the perpetrators the bad-guys – not the corporates. But the corporates should help themselves by managing through the crisis event.”

One of the main challenges faced by risk managers is that cyber threats come from several sources, and the technology is continually evolving. This can make it hard to keep up.

Marek Stanislawski, deputy global head of cyber and tech PI at Allianz Global Corporate & Specialty said: “We need to think about this as an arms race. There are very talented people working on both sides of the line, the offensive and the defensive.

“However, there is an asymmetry: the attackers have one objective and are fully focused on it. The defenders need to spread their attention over all of company’s assets. They need to factor in availability, budgetary constraints, new technologies used by the company which can become “weak points” in the network, they have to sieve through hundreds of false positives, etc.”

Proactive approach needed

For risk managers to adequately prevent against cyber attacks, a more proactive approach is required.

Companies need to be far more aware of the cyber risks within their supply chains. Complex, non-linear lines of supply substantially reduce the risk of interruption and the benefits are well documented.

But there are risks too. More suppliers mean more potential avenues for hackers to exploit, not to mention more workers – each of whom presents a greater risk.

Brian Harrison, chief executive of cyber security platform AVORD, said: “Major corporations often have very large and complex supply chains leaving them susceptible to abuse. Although this is a problem that is now being recognised, there is still much more to do.”

Gibbard, previously head of risk at Visa Europe, added: “The biggest challenge is how big these networks have become – enterprises have millions of devices, all running different software, and all will need updating. 

“Some of these networks and assets will be bought in through mergers or acquisitions, and they have to be joined up. If that doesn’t take place, you end up with poor visibility of what is taking place.”

Fortunately, there are steps the organisations can take to better protect themselves against cyber hacks.

The first is to make sure software updates are properly applied across an organisation. That includes every device whether company-issued laptops or personal phones that staff use to access work emails.

Educate

Cyber security specialists must educate all staff – regardless of position or rank – on the basic steps to protect corporate data, such as keeping computers locked when not in use, changing passwords regularly and keeping them private.

Gibbard said: “Most issues can be prevented – most security hacks are successful because a software update has not been applied.”

This diligence needs to be applied throughout the supply chain, including even the smallest suppliers.

Harrison said: “There is no such thing as a small unauthorised access to your database, or ‘they are only a small supplier’. Stolen data is potentially catastrophic for any company, and corporations are only as secure as their weakest link.”

Gibbard also advises risk managers to focus more attention on IT after a merger or acquisition.

He said: “If you can consolidate your security and IT asset management services quickly, you can keep that accurate picture of all the assets in mind. Having a plan to consolidate or integrate IT services over time can help reduce costs as well.”

Another thing companies can do to try and protect themselves is buy insurance. However, risk managers have severe misgivings about whether insurers are willing to put their money where their mouth is when it comes to paying cyber claims.

Elaine Heyworth, head of risk and insurance for communications regulator OfCom, said she is not aware of a single major cyber claim paid by insurers.

And the insurance industry does not help itself. For example, Zurich is refusing a $100m claim by snack manufacturer Mondelez, which was hit hard by the NotPetya ransomware attack. Mondelez’s policy contained a cyber endorsement, but Zurich is invoking an obscure exclusion that bans payment for acts of war because the attack was allegedly sponsored by the Russian government.

“I personally believe insurers are lazy about cyber – and also incompetent.” said Heyworth.