Cybersecurity

What the Marriott Breach Can Teach Us About Cybersecurity in the Tourism & Hospitality Industry

Alex Campanelli | May 17, 2019

Last fall, news broke of the Marriott breach that compromised the records of up to 500 million customers. The data breach occurred through the IT company, a third party, that managed the Starwood reservation database.

As the Marriott CEO provided testimony in hearings taking place this spring, it is clear that Marriott took too long to disclose this breach.  Even though the breach was found in September, disclosure did not occur until nearly three months later — and ultimately, the company failed to protect valuable customer information. The company is already the subject of class action lawsuits that could have a severe impact on the organization.

Given the prevalence of breaches in the tourism & hospitality sector, BitSight researchers did an analysis to see what insights we could glean about the cyber health of the industry. Our researchers reviewed our database of companies (150,000+) to make observations about the security performance of the tourism & hospitality industry from 2016 through the end of last year.

Over the last 3+ years, the Tourism & Hospitality sector has been very average (if even just a bit below) when it comes to cybersecurity performance as compared to other industries. This is ultimately very troubling when you consider the amount of sensitive data that these companies keep, including personally identifiable information (PII) and payment card information (PCI).

data breaches by industrySince 2016, nearly 5% of the tourism & hospitality entities that BitSight tracks (out of a total of almost 2,000) have experienced a publicly disclosed data breach. This is the 4th highest percentage of breach out of the 23 key sectors BitSight monitors, trailing only healthcare, education, and government.

open ports by industry - tourism/hospitalityopen ports by industry - tourism/hospitality fortune 1000When it comes to examining BitSight’s Open Ports risk vector, the tourism & hospitality sector generally ranks in the middle when looking at all companies, but ranks near the bottom when looking at the Fortune 1000.

Though it is often assumed that larger organizations perform better in cybersecurity, the data on Fortune 1000 companies in this industry suggests otherwise. For example, Fortune 1000 tourism & hospitality companies are performing poorly compared to the sector as a whole when it comes to reducing unnecessary Internet exposures (“Open Ports”). This was the same attack vector/entry point used for the Wannacry infection. BitSight has observed that organizations that perform poorly in this area of cyber risk management are more likely to experience a publicly disclosed breach.

For all companies, tourism & hospitality has the 2nd highest percentage of companies with an Open Port grade of D or lower (Education is 1st).

Ultimately, cyber incidents like the Marriott breach confirm that companies in this industry need to be much more about proactively mitigating the risk posed by their supply chain given the sensitive consumer information they contain in their databases.

Want to see more research from BitSight?

New call-to-action

Suggested Posts

4 Ways to Mitigate Cyber Risk as Hackers Target COVID Researchers

As the U.S. biomedical community rushes to combat COVID-19, the FBI announced last week that, in a bid to win the race for a vaccine or cure, state-sponsored Chinese hackers are targeting U.S. researchers in an attempt to “obtain valuable...

READ MORE »

The Shifting Role of the Security Professional: Doing More With Less

The COVID-19 outbreak has seen the roles of many cybersecurity professionals change — and many worry what it will mean for protecting their organizations from attacks.

READ MORE »

BitSight Research Reveals Vulnerabilities in Point of Sales Systems

When people talk about cybersecurity risks, the first area that normally comes to mind is malware. Some might even consider that it’s the worst event that can happen, as it normally indicates that a malicious actor has already bypassed the...

READ MORE »

Subscribe to get security news and updates in your inbox.