review the presentation
Ratti Otters
Cybersecurity - Marriott Data Breach
The Problem of Data Security ● Data can be lost or stolen from employee computers ● Computers could have spyware or malware ● Data can be stored in unsecured cloud ● The average cost of a data breach is $150 million with annual global costs of
$3.1 Trillion ● Data protection laws in the U.S. vary widely; No uniform model like GDPR ● Each state has different laws and requirements ● There are several federal laws that deal with very specific dimensions of
personal data, but no overarching policy in place for data collection and protection.
Current Policies in Place ● The Federal Trade Commission Act (15 U.S.C. §§41-58)
○ Enacted in 1914, protects against deceptive acts, must follow posted privacy policies, must disclose use of data, outlaws unfair competition, mostly focused on protecting businesses
● Children's Online Privacy Protection Act (COPPA) (15 U.S.C. §§6501-6506) ○ Prohibits collecting data about and from children, applies to children under 13 years old, must have parental
consent, must maintain confidentiality ● The Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB)) (15 U.S.C. §§6801-6827)
○ Regulates the collection of financial information, limits disclosure, institutions must declare privacy practices, rules about the disposal of identifiable information (mostly deals with shredding or destroying documents with personal financial information)
● The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.) ○ Individuals must give specific permission if health data is shared, mostly started to deal with individuals who were
concerned that health information (e.g., AIDS or cancer diagnosis) might be shared with employers and cause the loss of a job
● The Electronic Communications Privacy Act (18 U.S.C. §2510) & the Computer Fraud and Abuse Act (18 U.S.C. §1030) ○ Enacted to protect against intercepting e-communication and computer tampering and because ISPs were caught doing
deep packet inspections of messages, third parties (ISPs $ email providers) had little incentive to protect users’ data
Policy Issue Identified Problem Statement: The issue at hand regards cyber-attacks within the private sector. Data is becoming increasingly valuable and emerging technologies are allowing businesses to collect more data than ever. Even though a substantial amount of this data collection is necessary or essential to business operations, private businesses must be held accountable for the data they possess and follow preventative measures to mitigate any future data breaches. Marriott has experienced two data breaches within the last two years and consequently faces a damaged reputation and decreased business due to the consumers’ loss of privacy, reduced faith in business, and risk of having their PPI (personally identifiable information) stolen and misused. Data security instances such as these should communicate to companies that customer data is part of the revenue center, not the cost center. Better security not only prevents breaches but also builds trust with the business’s customer base which in turn generates more revenue. Businesses need to see data as not just an asset, but a liability if it is not protected.
Background ● In Feb. 2020, it was discovered that login credentials of two Marriott employees were compromised,
allowing hackers into the Marriott’s loyalty program database ● The breach took personal details of 5.2 million loyalty members
○ Names, email address, mailing address, phone number, date of birth, gender, language preference, room preference
● Marriott contacted affected guests and launched a website which offered a program for tracking the information of visitors whose details could be compromised
● Marriott and several security experts have warned affected customers about the possibility of the hackers using the compromise info to “phish” other personal and sensitive information
● Marriott was recently fined over $24 million for the data breach in 2018 ○ Unclear as of now if any repercussions will be taken
● CEO of a third party cybersecurity company stated that breaches could be avoided with basic policies such as two-factor authentication and monitoring user account activity ○ She also noted that the hotel chain lacks doing the basics of cybersecurity well
Background cont.
Marriott data breach-2018
● In the past 18 months, the hotel chain has had 3 cyber attacks ● In late 2018, the Marriott hotel chain announced that one of its reservation systems had been
compromised, with hackers accessing data since 2014 ○ Affected up to 500 million people
● The hackers accessed people’s names, addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood loyalty program account information, and reservation information. ○ Some including sensitive information such as payment card numbers and passport
numbers ● A Remote Access Trojan (RAT),a tool for sniffing out username/password combos, was
discovered in the system memory. This could have given the hackers control of the administrators account.
Background cont. Marriott data breach - 2018
● In 2018, the massive data breach was traced back to a Chinese intelligence-gathering effort ○ Hackers were suspected to be part of the Ministry of State Security ○ Cybersecurity firms suspected that the hack was part of a much broader mission to gather
Americans’ data ● An earlier breach involved over 1,550 company employees information (names, addresses, social
security numbers) that were compromised by a former vendor that handled official documents ● The malicious actors of the 2020 Marriott data breach have yet to be traced or identified
○ The employees whose credentials were used to conduct the breach have not been indicated to be suspects by the hotel chain
Background-Stakeholders Primary Stakeholders:
Marriott Hotel:
They should make sure that customers can enjoy good sleep and have a comfortable night, at the same time, operate normally.
Level of knowledge, medium to high; they should ensure that the company is in balance with income and expenditure, the management of the hotel has different department to deal with various emergencies.
There are many investment companies behind the hotel to provide financial resources
Marriott loyalty program users:
The data of program users should maintain privacy and security.
Level of knowledge varies due to some factors, gender, age, location, educated or not.
The users have limited financial but they have right to legal and reasonable protection of their data.
Hackers/Malicious Actor
They hurt the pattern and reputation of Marriott, then through stealing users data to make money.
Level of knowledge, high; the hackers have sufficient understanding of computer knowledge and sufficient technical support.
Anyone who wants to benefit from the issue on Marriott will support financial or any other support.
Background-Stakeholders Secondary Stakeholders:
Data security companies:
They should Ensure the security and privacy of users’ data to maintain profitability.
Level of knowledge, medium to high; they have a certain understanding and research on network security policies. The company has a special technical department to ensure the data security of users
There are financial support and technical support from users protected by them and potential users.
Key stakeholders:
Government security department:
Ensure that cybersecurity laws fully cover the right to user data security. The department also have several sectors working on protecting the users data and monitoring the internet.
Level of knowledge, high; Have full control of cybersecurity laws and subordinate emergency teams can respond to any unexpected situation on the network.
Resources from subordinate departments and financial support from the state can be mobilized.
Security/Privacy lawyers
Make money litigating claims against companies that were breached.
Level of knowledge, high; the lawyers are political legal perspective and a highly educated population. Can protect the legal rights and interests of users who get data leakage.
Supported by legal provisions and financial support from every lawsuit.
Policy Alternatives - Overview ● Hire 3rd Party Security Services (Products / Services)
● Government-Aided Security
● Internal Security Training Programs
● Enact a uniform policy Ex: GDPR (The General Data Protection Regulation)
Policy Alternatives - Strengths & Weaknesses ● 3rd Party Products / Services
○ Strengths: Offers two key aspects, products and services. Services such as pen tests, and products solutions such hardware and software to monitor, both are proven to be effective.
○ Weaknesses: Could be costly depending on companies size and current system setup. ● Government-Aided Security
○ Strengths: Companies gains access of detailed government threat information, which could help to harden their networks against nation-state technique attacks.
○ Weaknesses: Most difficult to implement (red tape), government doesn't have the best record of own security measures, may want back door access for national security reasons adding other vulnerabilities.
Policy Alternatives - Strengths & Weaknesses Cont. ● Internal Security Training Programs
○ Strengths: Cheapest option, fastest way to implement security measures. ○ Weaknesses: Potentially ineffective, relies on relatively untrained individuals who
have no real stake in company, and the risk of internal weakness is always looming. ● Enact uniform policy modeled after GDPR (The General Data Protection Regulation)
○ Strengths: Proven to work in Europe in certain cases, companies who fail to comply are severely punished.
○ Weaknesses: Difficult to enforce, due to lack of resources, tight budgets and administrative hurdles. Companies can find easy ways to circumvent the rules, making it ineffective in cases.
Policy Alternatives - What is the Best Option? 3rd Party Security Services/Products Best overall protection services ● Predictive/Active Measures
○ Penetration testing - A good practice to keep organizations secure is to have active third-party penetration testing activities. By actively taking an adversarial approach, vulnerabilities can be uncovered and prevented.
○ Breach and attack simulation (BAS) - It’s an exercise that helps harden enterprise networks. By combining networks looking for flaws and simulating what could happen, responses become routine and the time an attacker might get to spend in a network can be limited.
● Passive/Continuous Measures ○ The third party company develops cybersecurity software including firewalls, anti-virus,
intrusion detection and protection, and endpoint security.This would all be tailor fit to Marriotts needs and systems.
Why is this the Best Option? Cont. Best investment
○ Although it could initially come with a potentially high price tag, it is nothing compared to the damage it could cause without it. Establishing cyber security measures such as these are a wise investment that can save Marriot anywhere from millions to hundreds millions of more dollars in the future and protect its brand from even more public embarrassment that could hinder its image and reputation permanently.
Boosts customer trust and brand awareness among clients/customers/stakeholders
○ Guaranteeing that all company stakeholders’ privacy and sensitive information is protected is priceless. By prominently showing these measures are now in affect, Marriott could have the potential to bounce back from there previous data breaches. This could help them get back on there feet as a company who now takes initiative.
Steps of Implementation
1. Figure out the desired outcome: It’s important to keep the endgame in mind when brainstorming goals in the early stages. The significant decrease of individuals breached from 2018 to 2020 is a positive. However, any individual being breached is a negative. The goal for Marriott should be to minimize data breaches moving forward. The adoption of a 3rd party service/product using penetration testing or breach and attack simulations will help minimize the breaches further, and hopefully bring that number closer to zero.
2. Assign implementation responsibility to an owner: An employee who is dedicated to solely overseeing the steps to stopping the breaches from occurring is crucial. Someone needs to take ownership over the situation. Assigning an innovative and driven employee to head the ship of this implementation will allow for a smoother ride when dealing with difficult bumps along the way.
3. Conduct a risk assessment: Looking at possible risks before hand allows for a more effective and time efficient implementation. Marriott must see improve. There is a clear numerical value that shows the public if improvement in the number of individuals being breached is met. The risk is seeing that number increase after implementing the new service/product. Evaluating statistics to be certain that the new methods will be superior than what was in place is pivotal for Marriott’s success.
Steps of Implementation cont.
4. Establish a budget: The budget is large for a company of this size. However it is well worth it considering the amount of information that has been breached. In addition, protecting the image of marriott is very important to creating and keeping business to customers. The projected cost of implementing these services/products is roughly $650,000.
5. Create and delegate your implementation plan tasks: The leader of the implementation process should clearly communication the expectations with everyone involved. The expectations are clear, the number of breaches should continue to be minimized as time moves forward. Each member of this group should be working to attain that goal to be certain that the customers information is safe when staying at one of their hotels.
6. Develop your implementation plan schedule: The schedule should start with solidifying the 3rd party service/product to be implemented. Using predictive/active measures such as penetration testing or breach and attack simulation looks to be the best options for the goal of minimizing breaches. The milestones that must be met are straight forward. Continue to minimize the amount of individuals breached as time moves forward. There is no specific schedule to be met. The goal is create a system that is safe for our customers information.
Policy Impact Measurables ● Number of regular users and new users of Loyalty Program
○ If customers continue to use the loyalty program it is a sign that they trust it with their personal information, increases in the number of regular users as well as new enrollments could demonstrate an increase in consumer trust with the security of the program.
● Consumer surveys and reviews ○ Direct consumer feedback could give insights in how consumers view the changes.
● Frequency and intensity of future breaches ○ If the policy fails to limit and/or prevent breaches then it would be shown to be ineffective.
● Company Performance ○ Statistics such as revenue, rooms rented, and other company-wide performance metrics could be
indicators that the policy is effective but these metrics are also influenced by a myriad of other factors and cannot be taken in isolation
Projected Impact ● Number of regular users and new users of Loyalty Program
○ While there will be an initial decrease in regular users due to the breech, the number should slowly begin to increase at a faster rate over time.
● Consumer surveys and reviews ○ Consumers would likely be reluctant at first but eventually would approve of the increased
security by 3rd party professionals. ● Frequency and intensity of future breaches
○ The policy is likely to prevent most future breaches and dramatically reduce the impact of those that do occur.
● Company Performance ○ Company performance will likely change due to factors unrelated to this policy.
Projected Costs ● There is no one-size-fits-all solution to cyber security, instead it requires a
custom-tailored approach to the budget and specific needs of the client ● Businesses planning to invest in cyber security should know that the expenses
fall into two general categories: Products and Services. ● Products are the software, solutions, or physical devices that keep data
protected (firewalls, endpoint security & antivirus software, email protection, two factor-authentication) and services are the professional services that protect the client against cyber threats (Vulnerability assessment, penetration testing, compliance auditing, security program development, security architecture review, monitoring services
Projected Costs cont. ● Since the size of a company is a major factor in calculating the projected cyber security costs, an
organization as large as Marriott Hotels will need to spend more than a smaller business would have to. ● Firewall protection (product cost + installation fee + monthly/yearly subscription) would cost
between $1,5000 and $15,000 ● Endpoint Security & Antivirus software costs on average cost $5-$8 per user per month and $9-$18
per server per month for endpoint detection response ● Average pricing for antivirus monitoring can range between $500-$2,000 per month ● Email protection costs between $3-$6 per user per month ● Two-factor authentication can be $0-$10 per user per month ● Expected cost for a vulnerability assessment is between $5,000-$10,000 ● Web application assessment and security architecture review are free, but will take up to 80 hours to
complete ● Security program development hourly rates range from $149 to $479 per hour ● Projected approximate total: ~ $650,840
Q&A
:)
Sources Fruhlinger, Josh. “Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?” CSO Online, CSO, 12 Feb. 2020,
www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html. “How Much Does Cyber Security Cost? Common Cyber Security Expenses & Fees.” Proven Data - Trusted Solutions In Recovery, Cyber, and
Forensics, 3 Dec. 2020, www.provendatarecovery.com/blog/cyber-security-cost-expenses-fees/. Irmax, More from, et al. “Marriott Data Breach 2020: 5.2 Million Guest Records Were Stolen.” Security Boulevard, 13 Apr. 2020,
securityboulevard.com/2020/04/marriott-data-breach-2020-5-2-million-guest-records-were-stolen/. "Marriott Discloses Data Breach Affecting Around 5.2 Million Guests." Cruise Guide, 31 Mar. 2020, p. NA. Gale Academic OneFile,
https://link.gale.com/apps/doc/A626012005/AONE?u=msu_main&sid=AONE&xid=2631b020. “Marriott International, Inc.” Marriott International, www.marriott.com/about/culture-and-values/history.mi. “Marriott International.” Wikipedia, Wikimedia Foundation, 4 Dec. 2020, en.wikipedia.org/wiki/Marriott_International. “The Marriott Data Breach.” Consumer Information, 26 Sept. 2019, www.consumer.ftc.gov/blog/2018/12/marriott-data-breach Sanger, David E., et al. "Marriott Data Breach Traced to Chinese Hackers." New York Times, 12 Dec. 2018, p. A1(L). Gale General OneFile,
https://link.gale.com/apps/doc/A565334999/ITOF?u=msu_main&sid=ITOF&xid=de396dea. Uberti, David. "Marriott Reveals Breach that Exposed Data of Up to 5.2 Million Customers; the Cyber Incident is at Least the Third at the Hotel Chain
in the Past 18 Months." Wall Street Journal (Online), Mar 31, 2020. ProQuest, http://ezproxy.msu.edu/login?url=https://www-proquest-com.proxy1.cl.msu.edu/newspapers/marriott-reveals-breach-that-exposed-data-up-5 -2/docview/2384605801/se-2?accountid=12598
Uberti, David. "Data Breach at Marriott is the Third in 18 Months." Wall Street Journal, Apr 01, 2020. ProQuest, http://ezproxy.msu.edu/login?url=https://www-proquest-com.proxy2.cl.msu.edu/newspapers/data-breach-at-marriott-is-third-18-months/doc view/2384699334/se-2?accountid=12598.
Zorz, Zeljka, and April 1. “Marriott International 2020 Data Breach: 5.2 Million Customers Affected.” Help Net Security, 28 May 2020, www.helpnetsecurity.com/2020/04/01/marriott-data-breach-2020/.
Team Fact Page Jacob - I like tacos, I could eat them every day. I like dogs and otters.
Hanna- rats rule and cats r cool. Stuffing is the best thanksgiving food
Marcus - I’m marcus and im sooooo cool
Zoe- Thanksgiving is the wor$t holiday
Xinyu - I didn’t take the road test for my license
Qingdian - i’m Qingdian and i like otters and pet dogs.
Jason - the only good rat is one that can make a mean ratatouille or is a ninja
Yihao Xie - I like to travel around the world.