<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">

What the Marriott Breach Can Teach Us About Cybersecurity in the Tourism & Hospitality Industry

Alex Campanelli | May 17, 2019

Last fall, news broke of the Marriott breach that compromised the records of up to 500 million customers. The data breach occurred through the IT company, a third party, that managed the Starwood reservation database.

As the Marriott CEO provided testimony in hearings taking place this spring, it is clear that Marriott took too long to disclose this breach.  Even though the breach was found in September, disclosure did not occur until nearly three months later — and ultimately, the company failed to protect valuable customer information. The company is already the subject of class action lawsuits that could have a severe impact on the organization.

Given the prevalence of breaches in the tourism & hospitality sector, BitSight researchers did an analysis to see what insights we could glean about the cyber health of the industry. Our researchers reviewed our database of companies (150,000+) to make observations about the security performance of the tourism & hospitality industry from 2016 through the end of last year.

Over the last 3+ years, the Tourism & Hospitality sector has been very average (if even just a bit below) when it comes to cybersecurity performance as compared to other industries. This is ultimately very troubling when you consider the amount of sensitive data that these companies keep, including personally identifiable information (PII) and payment card information (PCI).

data breaches by industrySince 2016, nearly 5% of the tourism & hospitality entities that BitSight tracks (out of a total of almost 2,000) have experienced a publicly disclosed data breach. This is the 4th highest percentage of breach out of the 23 key sectors BitSight monitors, trailing only healthcare, education, and government.

open ports by industry - tourism/hospitalityopen ports by industry - tourism/hospitality fortune 1000When it comes to examining BitSight’s Open Ports risk vector, the tourism & hospitality sector generally ranks in the middle when looking at all companies, but ranks near the bottom when looking at the Fortune 1000.

Though it is often assumed that larger organizations perform better in cybersecurity, the data on Fortune 1000 companies in this industry suggests otherwise. For example, Fortune 1000 tourism & hospitality companies are performing poorly compared to the sector as a whole when it comes to reducing unnecessary Internet exposures (“Open Ports”). This was the same attack vector/entry point used for the Wannacry infection. BitSight has observed that organizations that perform poorly in this area of cyber risk management are more likely to experience a publicly disclosed breach.

For all companies, tourism & hospitality has the 2nd highest percentage of companies with an Open Port grade of D or lower (Education is 1st).

Ultimately, cyber incidents like the Marriott breach confirm that companies in this industry need to be much more about proactively mitigating the risk posed by their supply chain given the sensitive consumer information they contain in their databases.

Want to see more research from BitSight?

New call-to-action

Suggested Posts

New Iranian Cyber Warfare Puts U.S. Networks at Risk

As tensions between the U.S. and Iran continue to heat up, a cyber war is already underway between the two nations.


Will BlueKeep Become WannaCry 2.0?

A little over a month ago, Microsoft discovered a software security vulnerability that could ultimately lead to one of the worst cybersecurity attacks since 2017’s infamous WannaCry ransomware incident.


Cyber Attacks Can Wreak Havoc on the Business in Multiple Ways

The past few years have shown us that the cybersecurity landscape has only gotten more complex, as massive attack after massive attack —WannaCry and NotPetya ransomwares, at Uber Technologies in 2016, from the Shadow Brokers group, and...


Subscribe to get security news and updates in your inbox.