What the Marriott Breach Can Teach Us About Cybersecurity in the Tourism & Hospitality Industry
Alex Campanelli | May 17, 2019
Last fall, news broke of the Marriott breach that compromised the records of up to 500 million customers. The data breach occurred through the IT company, a third party, that managed the Starwood reservation database.
As the Marriott CEO provided testimony in hearings taking place this spring, it is clear that Marriott took too long to disclose this breach. Even though the breach was found in September, disclosure did not occur until nearly three months later — and ultimately, the company failed to protect valuable customer information. The company is already the subject of class action lawsuits that could have a severe impact on the organization.
Given the prevalence of breaches in the tourism & hospitality sector, BitSight researchers did an analysis to see what insights we could glean about the cyber health of the industry. Our researchers reviewed our database of companies (150,000+) to make observations about the security performance of the tourism & hospitality industry from 2016 through the end of last year.
Over the last 3+ years, the Tourism & Hospitality sector has been very average (if even just a bit below) when it comes to cybersecurity performance as compared to other industries. This is ultimately very troubling when you consider the amount of sensitive data that these companies keep, including personally identifiable information (PII) and payment card information (PCI).
Since 2016, nearly 5% of the tourism & hospitality entities that BitSight tracks (out of a total of almost 2,000) have experienced a publicly disclosed data breach. This is the 4th highest percentage of breach out of the 23 key sectors BitSight monitors, trailing only healthcare, education, and government.
When it comes to examining BitSight’s Open Ports risk vector, the tourism & hospitality sector generally ranks in the middle when looking at all companies, but ranks near the bottom when looking at the Fortune 1000.
Though it is often assumed that larger organizations perform better in cybersecurity, the data on Fortune 1000 companies in this industry suggests otherwise. For example, Fortune 1000 tourism & hospitality companies are performing poorly compared to the sector as a whole when it comes to reducing unnecessary Internet exposures (“Open Ports”). This was the same attack vector/entry point used for the Wannacry infection. BitSight has observed that organizations that perform poorly in this area of cyber risk management are more likely to experience a publicly disclosed breach.
For all companies, tourism & hospitality has the 2nd highest percentage of companies with an Open Port grade of D or lower (Education is 1st).
Ultimately, cyber incidents like the Marriott breach confirm that companies in this industry need to be much more about proactively mitigating the risk posed by their supply chain given the sensitive consumer information they contain in their databases.
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...
Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...