What the Marriott Breach Can Teach Us About Cybersecurity in the Tourism & Hospitality Industry

Alex Campanelli | May 17, 2019 | tag: Cybersecurity

Last fall, news broke of the Marriott breach that compromised the records of up to 500 million customers. The data breach occurred through the IT company, a third party, that managed the Starwood reservation database.

As the Marriott CEO provided testimony in hearings taking place this spring, it is clear that Marriott took too long to disclose this breach.  Even though the breach was found in September, disclosure did not occur until nearly three months later — and ultimately, the company failed to protect valuable customer information. The company is already the subject of class action lawsuits that could have a severe impact on the organization.

Given the prevalence of breaches in the tourism & hospitality sector, BitSight researchers did an analysis to see what insights we could glean about the cyber health of the industry. Our researchers reviewed our database of companies (150,000+) to make observations about the security performance of the tourism & hospitality industry from 2016 through the end of last year.

Over the last 3+ years, the Tourism & Hospitality sector has been very average (if even just a bit below) when it comes to cybersecurity performance as compared to other industries. This is ultimately very troubling when you consider the amount of sensitive data that these companies keep, including personally identifiable information (PII) and payment card information (PCI).

data breaches by industrySince 2016, nearly 5% of the tourism & hospitality entities that BitSight tracks (out of a total of almost 2,000) have experienced a publicly disclosed data breach. This is the 4th highest percentage of breach out of the 23 key sectors BitSight monitors, trailing only healthcare, education, and government.

open ports by industry - tourism/hospitalityopen ports by industry - tourism/hospitality fortune 1000When it comes to examining BitSight’s Open Ports risk vector, the tourism & hospitality sector generally ranks in the middle when looking at all companies, but ranks near the bottom when looking at the Fortune 1000.

Though it is often assumed that larger organizations perform better in cybersecurity, the data on Fortune 1000 companies in this industry suggests otherwise. For example, Fortune 1000 tourism & hospitality companies are performing poorly compared to the sector as a whole when it comes to reducing unnecessary Internet exposures (“Open Ports”). This was the same attack vector/entry point used for the Wannacry infection. BitSight has observed that organizations that perform poorly in this area of cyber risk management are more likely to experience a publicly disclosed breach.

For all companies, tourism & hospitality has the 2nd highest percentage of companies with an Open Port grade of D or lower (Education is 1st).

Ultimately, cyber incidents like the Marriott breach confirm that companies in this industry need to be much more about proactively mitigating the risk posed by their supply chain given the sensitive consumer information they contain in their databases.

Want to see more research from BitSight?

New call-to-action

Suggested Posts

4 Tips for Reducing Your Company’s Cyber Exposure

If your organization is like many others, its cyber exposure continues to grow over time. During the pandemic, as attackers sought to exploit unprecedented changes in work environments, 35% of cyberattacks used previously unseen malware...


5 Essential Elements of a Municipal Cyber Security Plan

Cyberattacks on state and local governments are on the rise. In 2020, more than 100 government agencies, including municipalities, were targeted with ransomware – an increasingly popular attack vector

These incidents are costly and...


Do You Have What it Takes to Achieve Digital Resilience?

The term “digital resilience” has gained momentum over the past few years as cybersecurity threats have grown, but what does it really mean? And how can a company become digitally resilient?


Get the Weekly Cybersecurity Newsletter.