Other than the massive Yahoo hack from 2016, the Marriott data breach that exposed the personal information of up to 383 million guests is one of the biggest leaks in recent history. While cybersecurity experts are already speculating that it was a state-sanctioned attack against Marriott’s Starwood database, the biggest takeaway from the event is the hospitality industry’s massive cybersecurity vulnerabilities.
Far from being a singular breach, the infiltration had actually been happening for years before it was finally detected. And in their statement outlining the breach, Marriott admitted that “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” may have been exfiltrated by the hackers.
Experts still aren’t sure how the hackers gained access, but some are speculating that a sophisticated spear phishing attack could be the culprit. Spear attacks involve hackers posing as employees or supervisors, and sending malicious links through email. Because of the huge influx of email communications occurring every day, this tactic tends to be incredibly effective for hacking large corporations. In fact, it was the weapon of choice for the massive Saudi Aramco breach that damaged 35,000 computers.
How Vulnerable Is the Hospitality Industry?
According to the security firm Trustwave Holdings, the hotel industry was the third-most targeted sector after the retail and finance industry. It makes sense: hotels are goldmines for travel records and personal information. In fact, the infamous DarkHotel attacks from 4 years ago infiltrated several hotel chains to spy on high-level executives and officials who logged on to their networks.
What’s at Stake
Unfortunately, the aftermath of a massive data breach is also often exploited by criminals. After a data breach, some criminals pose as the company that suffered the breach and proceed to ask for the recipient’s financial information. That’s why one common tactic is buying domains one letter off the company’s name immediately after a hacking. Even Marriott, in a statement about the breach, warned customers not to open emails unless they were verified by the company.
So, what steps can the hospitality sector take to secure their email?
Why You Should Keep Your Email Protected
While most discussions on cybersecurity are justly focused on strengthening network security, it’s impossible to ignore the role email communications play in most corporate leaks. In fact, the Verizon 2018 Data Breach Investigations Report found that email was the most common method that hackers used to gain access to a system.
While cyber criminals are getting more and more clever in utilizing emails, it’s essential to protect personal information like passports, credit card information, addresses, and more that are regularly exchanged in the hospitality sector.
One solution would be encryption, a method of scrambling an email’s contents and attachments unless a unique key is provided. And while businesses often don’t utilize encryption in their emails because it’s too cumbersome, a simple solution would be to adopt an easy-to-integrate secure email service that works for both sender and recipient.
A tracking service can also help protect you from the most sophisticated phishing attacks. When you know exactly where an email came from and whether it’s from a verified source, you’re reducing the risk of human error and allowing hotel staff to immediately detect a phishing scheme.
Two-factor authentication is another method being used to secure email communications. Two-factor authentication works by using a unique code that’s been sent to a separate device to unlock a message. In the case that a threat actor gains access to your email account’s passcodes, two-factor authentication can, at the very least, protect the contents of your emails.
As authorities further investigate the Marriott leak, there will be no doubt further consequences for a hack of this magnitude; under the European General Data Protection Regulation (GDPR), which directs how companies protect users’ personal data, Marriott could be fined up to 4% of its annual global revenue. That’s around $1 billion.
Of course, it’s too soon to tell what the financial fallout will be for Marriott, but when customers are becoming increasingly dependent on companies to protect their data, it’s up to the hospitality industry to shore up their defenses. Because ultimately, you’re not only responsible for your guests’ safety and comfort while they stay with you, you’re responsible for their privacy and security, too.
Idan Udi Edry is the CEO of Trustifi, a software-as-a-service company offering a patented postmarked email system that encrypts and tracks emails. Before his work with email encryption, Idan served as an Israeli Air Force officer for more than eight years, reaching the rank of captain and leading hundreds of professionally trained military personnel in building and operating advanced information systems. A trusted authority in information technology and data security, Idan has 13 formal certifications from the most renowned IT and telecommunications organizations, and his insight has been featured in major publications like Fox News, Bloomberg BNA, and MD Edge.