What lessons can we learn from Marriott’s response to their Cyber Breach?

Posted on 7 December

This week, Charlie discusses the Marriott hotel hack and how you can prepare your organisation for a potential data breach.


You couldn’t have missed the Marriott hotel’s cyber breach and the possible loss of up to 500 million customer records in the news last week. There are a number of lessons we can learn from their response and we can use this incident to check if our organisations would have the ability, in terms of customer communications, to manage a similar breach.

In previous bulletins, we have talked about making sure you perform a risk assessment on your data and understand what you have to lose if a hacker “got the lot”. The first question from the risk assessment is “What does your organisation have which others might want?”. For the Marriott hack, this could be personal data and credit card information. One of the speculations I read about the hack is that it was executed by Chinese intelligence. This is why the hack continued for four years, and was not just a short dash into the systems to extract as much data and credit card information as possible before being discovered. The article said there is a lot of intelligence value in who is travelling, where they are travelling to and who they are meeting. This was the information held on the website and is great value to an intelligence service, as it is an easy way to keep tabs on the key people they are interested in. So, the first lesson is that if you are a hotel chain, airline or travel booking service, you are at an increased risk of being hacked by government intelligence services. These organisations need to take additional precautions in response to this increased risk.

The hack was on the Starwood brand, which was recently bought by the Marriott Group. The second lesson is that if you are going to buy a new company and integrate their IT system into your existing systems, you need to make sure that due diligence is done to ensure that their systems have not been compromised before you integrate them. If this is not done, the hacker will have access to all the merged systems.

As the USA does not have the same GDPR rules for reporting breaches as European Union organisations, USA companies have more time to prepare their customer service response before informing customers. GDPR states a maximum time of 72 hours for reporting, which means there is very little time to prepare a customer response if no prework has been done and call off contracts are not in place. Marriott were able to put in place a call centre, which could answer calls in multiple languages, and also publish advice to customers on a website in 20 different languages. So, the third lesson is to consider the languages your customers speak and ensure that you can quickly put together customer information in multiple languages.

As well as publishing a set of frequently asked questions, Marriott has supplied a multi-language call centre number for concerned customers to call in. I rang the call centre and my call was answered almost straight away. With a possible 500 million records impacted, that is a huge amount of potential calls. If customers are unable to get through to the call centre, this could lead to a second negative news story about concerned and angry callers not being able to get through to get information. To prevent this from happening, you have to put as much information on the website as possible, to try and limit the number of calls. Lesson four is, as a result of the tight timetable for informing customers, you do not have time to try and find an available call centre, sign a contract with them, produce scripts, get suitable numbers and make your customers aware of the helpline. This has to be prepared in advance and has to be relevant to the geography, numbers and languages of your customers.

The website which provides information on the breach has been set up by Kroll and has a Kroll web address: https://answers.kroll.com/. If you look at both the Starwood and Marriott websites, there is no mention of the breach at all. The advantage of using the Kroll website is that customers are not reminded about the data breach every time they book a hotel. A second reason for the information not being on their main websites, could also be that the Marriott and Starwood websites were not easily configured to meet the requirements of a data breach. The downside is that in big data breaches, fraudsters and others trying to make an InfoSec point will set up fake sites which are very close to the name of the answers site. Fraudsters will use these sites to try and persuade people to put in their data, which they can use for their own purposes. Lesson five is that you should have a dark site ready to go within your existing website, using your own URL, which you can use to provide information to those impacted by the breach. Best practice says you should not use a third-party provider website.

Marriott are sending out millions of emails to customers to inform them of the breach and the compromise of their data. The issue is that the emails don’t look like they have come from Marriott and there is little to show that they are legitimate and the domain they have come from is real. They can also be easily spoofed. The use of emails for notification has to be thought through, to ensure that the sending out of emails don’t exacerbate the situation further. Lesson six is that if you are going to use emails to inform stakeholders of a breach, make sure this is thought through. Ensure you have thought about whether you have an email address for every customer, how many emails you might have to send out, what engine you are going to do this with, what domain you are going to use and what precautions you need to put in place to make sure that your emails are seen as legitimate, and fraudsters don’t send spoofed emails to harvest data.

The last lesson is that it is the main brand which suffers the loss of reputation in a hack, even if the hack was confined to the systems of one brand. Marriott is mentioned much more often than Starwood.

As I have written in earlier bulletins on cyber, the response to incidents is too important to be left to the techies. They have a very important role to play, but managing communications is a key part of the response. There are a number of lessons from the Marriott experience and there is a lot of work which you should do now to prepare your organisation for a possible data breach in the future.


Your Business Continuity Book Recommendations

With the festive season coming up and elderly aunts and parents asking what you want for Christmas, what book or books would you recommend as essential reading for anyone involved in business continuity or crisis management?

Please click here to share your recommendations.