Marriott have reported another data breach.
You can read about it here.
I will be sharing my thoughts about this breach as it unfolds, not on this blog but in the hotelDPO membership communities (our private blogs exclusive to our members).
There will be lessons to learn from this.
My first advice to you is don't gloat. This latest breach is an example to all of us just how vulnerable hotels are. This particular breach appears to have been achieved using a social engineering attack. In other words, an employee clicked on a link somewhere and compromised system security.
People are the weakest part of your defences, which is why regular and ongoing data protection training matters.
All hotels have what is sometimes called an, "attackable surface area". The more tech involved, the more customers, the more staff, the bigger it is.
Obviously, Marriotts' attackable surface area is pretty big but in...
Just when we thought we had all recovered from the Marriott data breach, up pops Prestige Software, a Spanish software developer, who have put at risk possibly 10 million sets of transaction data going back to 2013.
You can read about it here - https://www.infosecurity-magazine.com/news/hotel-booking-firm-leaks-data/
First, it's not a malicious attack. This one was caused by the most common method. Someone made a mistake.
Mistakes happen. In this case, someone misconfigured an Amazon AWS server. For those of you who neither know nor care what that is, it's the computers on which much of our online activity is stored. They are quite complex things. Most of your technology data processors run their stuff on something similar. It's all well and good as long as you employ people who now what they're doing and you have effective security and work monitoring in place.
Someone either didn't know what they were doing or...
There's a storm on the horizon.
It is headed in the direction of Marriott International (a hotel chain).
For those of you who know me, you may already be familiar with my stories about hotel owners and managers who look anywhere but directly at me and say,
"GDPR? We'll do it when they make us."
...and then shrug their shoulders. Which was usually my cue to leave the room.
If you are waiting on the ICO to take action and string up... sorry I mean, "censure" a hotel business for a breach of the Data Protection Act you might be waiting a while. They have a lot on their plate at the moment and the wheels of regulation can sometimes move slower than we might expect.
Private individuals who have had their privacy breached on the other hand, move an awful lot faster. Combine a group of them with one motivated individual to provide leadership, some decent legal advice and a bit of funding and hey presto!
You have a group action filed in court.
One such action was...
Another breach of personal data held by Marriott Hotels is in the news this week. There is one lesson we can all learn.
As soon as you collect personal data, you expose both the data and your business to the risk of a breach.
It is that simple.
When a world leading hotel chain such as Marriott has a personal data breach it can affect thousands of data subjects. In this case it was millions. Still, this one is less widespread than their last reported data breach which exposed personal data belonging to hundreds of millions of customers.
This latest breach doesn’t represent an improvement. Just because it’s smaller doesn’t make it better. It is a different type of breach for a start and this time Marriott have been a lot more proactive in identifying and tackling the problem. Yet what it does is illustrate to the rest of us, one of the fundamental problems with processing personal data:
It is always at risk –...