Facebook, Under Armour, Exactis, British Airways… The list of companies that have suffered massive data breaches in 2018 just keeps growing: according to Verizon, there have been over 2,200 so far this year. This is not a list that companies want to appear on at all, let alone in the top spot. Nevertheless, just a few weeks before the end of the year, a company has made its way onto the list and, due to the quantity of data leaked, has gone straight to the top of the chart: the hotel group Marriott International.
The hotel sector is in for some sleepless nights
On November 30, it was revealed that the records of up to 500 million customers of the hotel group Marriott International may have been involved in a data breach. In fact, not only is it the largest breach this year: it also the second largest data breach in history.
The hotel chain said that the database of its Starwood division – which includes Westin, Sheraton and W Hotels – was compromised by an unauthorized party, and that the attacker had been able to access the data of customers on its network since 2014.
For around 327 million guests, the information copied by the cybercriminal included “a combination” of their name, physical address, phone number, email, passport number, account information, date of birth, gender, as well as arrival and departure information.
It has also confirmed that some records included encrypted payment card information, but that it couldn’t rule out the possibility that the encryption keys had also been stolen.
In order to help its customers, the company has set up a website to provide them with more information. As well as the website, the company has begun the process of notifying the affected customers via email. As often happens with incidents of this kind, there is the risk that scammers will take advantage of this situation to launch phishing attacks. To combat this, Marriott has stated that it will not ask for personal information in the emails, and nor will it include any attachments.
The consequences of a data breach
This data breach was revealed just a couple of days ago, and so we will have to wait some time to find out what consequences it will have for the company. Although Marriott is a US company, it handles the personal data of European citizens. This means that it is subject to the new General Data Protection Regulation (GDPR). With a turnover of $22.9 billion (€20,171,350,500) in 2017, if the harshest fine – 4% of global annual turnover – is applied, Marriott could have to pay $916 million (€807 million).
How to protect personal data
To keep people from getting onto your company’s IT systems, it is vital to have the ability to monitor all activity on every endpoint. Panda Adaptive Defense, the advanced cybersecurity suite from Panda Security, offers you this visibility, so that you know exactly what is happening on your network, and if someone is trying to access something they shouldn’t.
What’s more, Panda Adaptive Defense has modules created specifically to stop access, modification and exfiltration of the data stored by your company. Panda Data Control monitors and discovers all unstructured personal data (PII) on all endpoints. This way, not only will you know what data you have and where you have it, but you’ll also know if someone accesses it or tries to modify it.