Hospitality doesn’t pay; Robust data security does: What Marriott should have done at the outset

Marriot Hotel’s data security breach needn’t have happened if they could have used real-time data security solutions

And yet again, another resounding data breach story is out in the media. This time the victim is Marriott Hotel. On Friday, 30 November 2018, Marriott revealed that “credit card numbers and expiration dates of some guests may have been taken”. However, the data will be much more as the exposed data includes personally identifiable information such as mailing address, phone number, email address, guest account information, date of birth, gender, and other sensitive details.

Since 2014

What is worrisome is that this information leak could have been happening since 2014. An article in Cyber Defence Magazine states that “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.” [1]

An SAP user since 2010

Stonebridge Companies started leveraging SAP ERP for its Hotel Management processes. [2] Marriott Hotel merged with Stonebridge in 2015 adding its 54 million users to the already 21 million strong Stonebridge customer base.

The way forward

An apologetic Arne Sorenson (CEO) stated in a prepared statement that “we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

What should have been done in 2010

To meet its growing business requirements, Stonebridge implemented SAP in 2010. The SAP implementation covered Financials, Payroll, HR as well as Transportation & Logistics.

Business growth is a great thing, but also ushers in unique challenges.

In a modern enterprise, such as Stonebridge, where there is a rise in business collaboration, an explosion of storage locations and cloud services, and an increased mobile workforce, traditional protection mechanisms are often left powerless. SAP users extract hundreds of sensitive documents from SAP systems and applications for the purpose of reporting, analytics, and knowledge sharing with colleagues, partners, and suppliers. Most enterprises have very little knowledge or control of where these documents are going, who accesses them, or how they are being used. This leaves companies at a high risk of data loss due to malicious or accidental actions.

Thus, what was needed, as in the case of Stonebridge, was complete transparency over SAP data exports and an alerting mechanism in case of compliance breaches and the capability to close detection gaps in SAP Access Control (GRC) – all in real time – augmented with automated implementation of compliance guidelines for SAP data exports with context-based classification – a key aspect overlooked by Bruce Hoffmeister, Global CIO, Marriott International.

SECUDE believes that if such a system is in place, it will effectively protect data should not leave SAP as well as data that is officially needed outside SAP.

And the good news is that there is such a solution. You can read more about this solution here.

Reference

[1] Marriott Suffers Massive Breach – Affects 500 Million Customers

[2] Stonebridge Companies Moves Its Hotel Management to SAP ERP

[3] Starwood Guest Reservation Database Security Incident

[4] Marriott security breach exposed data of up to 500M guests

Related Reading

[1] How do you secure data against Industrial Espionage?

[2] Bridging Technology Landscapes for Enhanced Data Security: A Microsoft Case Study

[3] Four steps to spot and stop data theft in your SAP landscape

[4] Reuters article on hackers highlights basic question overlooked by CIOs