What the Marriott Breach Can Teach Us About Cybersecurity in the Tourism & Hospitality Industry

Alex Campanelli | May 17, 2019 | tag: Cybersecurity

Last fall, news broke of the Marriott breach that compromised the records of up to 500 million customers. The data breach occurred through the IT company, a third party, that managed the Starwood reservation database.

As the Marriott CEO provided testimony in hearings taking place this spring, it is clear that Marriott took too long to disclose this breach.  Even though the breach was found in September, disclosure did not occur until nearly three months later — and ultimately, the company failed to protect valuable customer information. The company is already the subject of class action lawsuits that could have a severe impact on the organization.

Given the prevalence of breaches in the tourism & hospitality sector, BitSight researchers did an analysis to see what insights we could glean about the cyber health of the industry. Our researchers reviewed our database of companies (150,000+) to make observations about the security performance of the tourism & hospitality industry from 2016 through the end of last year.

Over the last 3+ years, the Tourism & Hospitality sector has been very average (if even just a bit below) when it comes to cybersecurity performance as compared to other industries. This is ultimately very troubling when you consider the amount of sensitive data that these companies keep, including personally identifiable information (PII) and payment card information (PCI).

data breaches by industrySince 2016, nearly 5% of the tourism & hospitality entities that BitSight tracks (out of a total of almost 2,000) have experienced a publicly disclosed data breach. This is the 4th highest percentage of breach out of the 23 key sectors BitSight monitors, trailing only healthcare, education, and government.

open ports by industry - tourism/hospitalityopen ports by industry - tourism/hospitality fortune 1000When it comes to examining BitSight’s Open Ports risk vector, the tourism & hospitality sector generally ranks in the middle when looking at all companies, but ranks near the bottom when looking at the Fortune 1000.

Though it is often assumed that larger organizations perform better in cybersecurity, the data on Fortune 1000 companies in this industry suggests otherwise. For example, Fortune 1000 tourism & hospitality companies are performing poorly compared to the sector as a whole when it comes to reducing unnecessary Internet exposures (“Open Ports”). This was the same attack vector/entry point used for the Wannacry infection. BitSight has observed that organizations that perform poorly in this area of cyber risk management are more likely to experience a publicly disclosed breach.

For all companies, tourism & hospitality has the 2nd highest percentage of companies with an Open Port grade of D or lower (Education is 1st).

Ultimately, cyber incidents like the Marriott breach confirm that companies in this industry need to be much more about proactively mitigating the risk posed by their supply chain given the sensitive consumer information they contain in their databases.

Want to see more research from BitSight?

New call-to-action

Suggested Posts

More Network Security Monitoring Tools Doesn’t Mean More Visibility

Network security monitoring tools are a critical component of any IT security toolkit. These resources monitor and manage your network for cyber risk by scanning your organization’s digital assets for security vulnerabilities and...

READ MORE »

Third Party Services: The Cyber Risk They Pose and How to Protect Your Organization

To serve your customers and realize efficiencies, your organization may work with dozens if not hundreds of third parties including partners, vendors, cloud service providers, and subcontractors. 

But digital ties with these providers...

READ MORE »

What is Network Segmentation Cyber Security and is it Right for You?

These days, we often hear the word “quarantine” in everyday conversations--but quarantining takes on a different meaning when it comes to protecting your network. 

Often, when we discuss quarantining from a cyber security perspective...

READ MORE »

Get the Weekly Cybersecurity Newsletter.