Updated:

Marriott: Data Breach Incident Analysis and Report Research Paper

Exclusively available on Available only on IvyPanda® Written by Human No AI

Introduction

The recent Cybersecurity Audit of CyberOne Business and Causality Insurance revealed a number of serious gaps in the Padgett-Beale Incident response plan. If the identified gaps and vulnerabilities are not well addressed, CyberOne will experience a significant loss of insurance coverage.

These gaps must be addressed in the audit report for the company’s better future. The audit found that the business’ operating units lacked detailed strategies to safeguard their data (“The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). CyberOne believes our business is unprepared to respond or stop a significant data breach. The shortcomings and lessons our company must take away from the costly error of a rival in our business will be identified in examining the following Marriot data breach. Industry best practices to remedy the weaknesses in the system will be suggested after the breach study has been evaluated. So that the best choices may be taken to address the audit results, these lessons and suggestions are being provided.

Analysis

The data breach in Marriott has been ranked among the most significant data breaches globally, holding the second position of all time by many industry experts. The number of hotel guests affected by this breach was approximately 400,000,000, with a total loss of over three million US dollars. The breach began in 2014 when the attackers took the personal data that the customers used to place their hotel bookings and reservations for their benefit. The good news is that Marriot already had a policy that provided coverage for some expenses related to the data breach (“The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). Because there are still prospective legal actions and regulatory and compliance fines, author Patrick Nohe makes the following statement in response to the unfortunate news. “Marriott’s cyber insurance could apply to some of those as well, but we don’t know enough about the policy to determine whether or not it will pay out.”

Customers and property owners are connected in the current hotel business model through online reservation platforms. Marriott paid $13.6 billion to purchase Starwood Hotels & Resorts. This merger would cost Marriott a lot of money and be bad for Marriott (Talesh, 2018). The Starwood Hotels & Resorts website’s reservation system was broken into during the transaction. By doing so, Marriott accepted the dangers and repercussions of the unidentified data breach. The hotel sector is now particularly susceptible to several security flaws. For instance, there have recently been security lapses at Hyatt Hotels Corp., Trump Hotels, and InterContinental Hotels Group.

After a thorough investigation, the Information Commissioner’s Office (ICO) concluded that Marriott International would experience a fine of £99,200,396 for violations of the General Data Protection Regulation on behalf of the data protection authorities of the EU Member State and other applicable parties (“The hackers did this”: Data breach lawsuits and commercial general liability insurance,” 2022). Organizations like Marriott, in the opinion of ICO Commissioner Elizabeth Denham, must be made responsible for every data they control that is classified as sensitive and should exercise due diligence when making corporate acquisitions to put auditable accountability measures in place to identify obtained personal or sensitive data and ensure that it is secured. Author Bruce Sussman claims that the following data was specifically taken from the database: Email addresses, Names of the guests, phone numbers, dates of birth, passport numbers, arrival and departure information, communication preferences, and reservation dates.

The volume of data that was taken in this hack is astounding. Unfortunately for Marriott, the following fines and legal actions will make this a very expensive error. What Marriott might have done to prevent this is a crucial point that has to be addressed. In her piece, Mullins Consulting, Inc.’s president and primary consultant, Joyce Wells, discusses what the business can learn from the Marriott data breach. Craig Mullins was questioned on what steps Marriott should have taken to prevent this data leak (Talesh, 2018). Organizations may prevent most of these breaches with the proper encryption, masking, and appropriate auditing software; nevertheless, these solutions are not widely used. Forcing good data protection is why there is a need for legislation.

Best Practices

Several suggested steps will need to be considered for Padgett-Beale to respond to CyberOne Business and Casualty Insurance’s audit findings and adapt to the changing dangers of data breaches. The solutions, procedures, and policies listed below are considered industry best practices and are intended to improve data breach response plans and policies. Adopting these suggestions will reduce the likelihood of a data breach, improve the effectiveness of reacting to breaches, and reduce any monetary or reputational harm to Padgett-Beale.

Training people

In order to boost the efficacy of a data breach response strategy, corporate workers must be trained and made aware of the situation. Employees won’t adhere to appropriate data breach response process standards if they are unaware of the strategy and policy. Additionally, personnel will benefit from training by being aware of and watchful for clues that a data breach is likely. Although skilled, the Padgett-Beale IT department cannot be present everywhere at once. The likelihood of discovering data breaches dramatically improves with trained and informed workers. It is advised that all corporate employees get training and awareness sessions at least once per quarter. At Padgett-Beale, the objective is to foster a culture that prioritizes security. This indicates that everyone, from senior executives to the newest hires, is informed and educated and that client data protection is significant.

Processes

The least privilege concept should be used to assure compliance and corporate data security. Users, systems, and procedures are all affected by this rule. It merely permits the minimum access necessary to carry out a task. Utilizing this idea will reduce data breaches (Talesh, 2018. It is suggested that Padgett-Beal implement the notion of user accounts with the least privilege. If a system or device belonging to an employee is penetrated, the attacker will only have access to the bare minimum of that user’s privileges.

Developing policies

The incident response strategy must include both legal and regulatory compliance. Costly fines will inevitably arise from disregarding applicable requirements. The incident response plan must also be compatible with current plans and rules. Thanks to these excellent practices, the organization will avoid penalties and expensive legal actions (Jung, 2021). Additionally, it is strongly advised to ensure the policy is tested and updated at least once a year. The Federal Trade Commission further notes that, depending on the jurisdiction, it may be legally mandated to notify victims of a security breach if it involves their personal information. If these guidelines are not followed, the firm might suffer irreparable damage.

Using Appropriate Technologies

Using the proper technology may increase the effectiveness of the data response policy. A Network Traffic Analysis (NAT) solution should be selected and used. The NAT will monitor corporate network data transfer and search for suspicious anomalies (Jung, 2021). Additionally, Endpoint Detection and Response (EDR) will track and spot data breaches and notify IT staff when threats are discovered.

Conclusion

Padgett-Beal must fill the vulnerabilities found during the CyberOne Business and Casualty Insurance audit. Addressing these gaps has two advantages for the business. To safeguard the company against penalties and legal fees in the worst-case situation, the CyberOne insurance coverage must first be renewed. Second, implementing the suggested fixes and best practice suggestions will improve the organization’s incident response strategy. Doing this will reduce the chance of a data breach, and corporate data security will always be maintained (Talesh, 2018). The capacity of the firm to conduct business will be jeopardized if the confidentiality, accessibility, and integrity of our data are not maintained. The following suggestions can be included in the incident response plan to address the discovered absence of particular strategies in the firm operational units.

The first approach is quarterly training and awareness while fostering a security-focused culture. Next, implementing the least privilege concept across all systems, users, and procedures will lessen the likelihood of data breaches. The incident response policy must then be tested and updated annually, identifying and observing the legal and regulatory compliance requirements. Finally, a Network Traffic Analysis and Endpoint Detection and Response solution has to be implemented to improve the effectiveness and capabilities of the data response strategy.

These suggestions will enable the development of a data response policy that is capable, compliant, and flexible enough to respond to any challenges our firm may face. After accepting these guidelines, each operational unit at Padgett-Beal will have a data response plan and policy to follow (Jung, 2021). The updated policy will fill the audit holes, and CyberOne Business and Casualty Insurance will be renewed. This can only be accomplished if every operational unit adheres to and uses the same updated data response strategy and policy.

References

Jung, K. (2021). . Korean Insurance Journal, 127, 1-42. Web.

Talesh, S. A. (2018). . Law & Social Inquiry, 43(02), 417-440. Web.

. (2022). Cyberinsurance Policy, 65-86. Web.

Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2024, April 23). Marriott: Data Breach Incident Analysis and Report. https://ivypanda.com/essays/marriott-data-breach-incident-analysis-and-report/

Work Cited

"Marriott: Data Breach Incident Analysis and Report." IvyPanda, 23 Apr. 2024, ivypanda.com/essays/marriott-data-breach-incident-analysis-and-report/.

References

IvyPanda. (2024) 'Marriott: Data Breach Incident Analysis and Report'. 23 April.

References

IvyPanda. 2024. "Marriott: Data Breach Incident Analysis and Report." April 23, 2024. https://ivypanda.com/essays/marriott-data-breach-incident-analysis-and-report/.

1. IvyPanda. "Marriott: Data Breach Incident Analysis and Report." April 23, 2024. https://ivypanda.com/essays/marriott-data-breach-incident-analysis-and-report/.


Bibliography


IvyPanda. "Marriott: Data Breach Incident Analysis and Report." April 23, 2024. https://ivypanda.com/essays/marriott-data-breach-incident-analysis-and-report/.

More Essays on Computer Security
If, for any reason, you believe that this content should not be published on our website, you can request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
1 / 1