Hotel group’s massive data breach proves no industry is immune.

The revelations surrounding the recent breach of up to 500 million customer records from a Marriott Hotels’ subsidiary highlight three unavoidable truths:

  1. No organisation is immune from cyber-attacks. Whatever the industry, cyber-criminals seek to obtain access to Big Data and exploit it for financial gain.
  2. IT and communications networks are vulnerable. When prevention technologies inevitably fail, data protection, via encryption, offers the best, last line of defence.
  3. To guarantee no harm results from a data breach, a high-assurance encryption model is essential. Only then can an organisation be assured the encryption keys are stored securely.

Europe’s GDPR has set the gold standard for what is widely recognised as cyber-security best practice. Whilst Marriott’s headquarters are in the US, it must still comply with the EU regulations. Under the GDPR, if a sufficiently strong and effective encryption solution was in place, Marriott may not have been required to disclose the breach.

Unfortunately, this appears to be the third breach in as many years; and it transpires that someone has had unauthorized access to the data since 2014. The stolen data includes sensitive items such as name, passport number, email, date of birth and booking records. There is a good chance that encrypted credit card details were also stolen.  However, Marriott has not been able to rule out the possibility that the encryption keys were also taken.

One of the core principles of a high-assurance encryption system is the security and integrity of the encryption keys themselves. In a suitably secure system the keys themselves are encrypted and stored within a secure module. In the Marriott instance, that does not appear to be the case.

For an encryption solution to offer high-assurance data protection it should comprise dedicated, tamper-proof hardware; client-side only encryption key management, standards-based encryption algorithms and authenticated, end-to-end encryption.

Further reading:

Marriott data breach

Encryption key management

High-assurance encryption