Why It Happened ?
Marriott faces a fine of $124 million proposed by UK regulators under the EU’s new privacy rules. Before being discovered, the breach persisted for 4 years, dated back to 2014 but was not discovered until November 2018. Marriott said the long-running breach exposed such information as names, email addresses, phone numbers, passport numbers, encrypted payment card information and more. The breach appears to have begun with a 2014 network hack of Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016.
The ICO says Marriott’s security practices failed to protect personal information. “The GDPR makes it clear that organizations must be accountable for the personal data they hold,” says U.K. Information Commissioner Elizabeth Denham.
The Marriott fine comes right after a record fine of $230 million imposed by ICO on Monday following the British Airways Data Breach.
What Can Organizations Do to Prevent?
- Organizations Need To Constantly Monitor All Their Data
The key to protecting consumer data is by being able to make sure you continuously have the ability to discover data and take actions on the data to prevent access or exfiltration of any sensitive information.”
- Security Controls Should be Applied to All Assets
Ideally this breach should have been identified as part of cyber risk assessment conducted during the M&A activities and it might be possible that 2 corporate entities had different levels of security maturity. It is highly probable that the security controls which were in place, might not have been applied to all assets.