See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/372524901

Marriott International Data Breach

Article · July 2023

CITATIONS READS
0 2,188

1 author:

Ravindu Denuwan
CICRA Campus
2 PUBLICATIONS 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Ravindu Denuwan on 22 July 2023.

The user has requested enhancement of the downloaded file.

 1

Marriott International Data Breach 2018

Ravindu Denuwan Godage

[email protected]

Abstract—Marriott International Inc., a multinational hotel approaches used by state-sponsored Chinese hackers; for
firm, informed customers in November 2018 of a data breach example, the attackers used a cloud-hosting space frequently
resulting in the possible disclosure of credit cards, passport used by Chinese hackers. (The involvement of the US
numbers, and other personally identifying info belonging to 500 intelligence service in the inquiry, as well as the classified
million customers. The hack was caused by an unknown attacker
nature of the attack, likely explains why little technical specifics
who obtained access to Starwood hotels' systems in 2014, who then
merged with Marriott in 2015. The United Kingdom's Information have been revealed.) Another indication that this breach was
Commissioner's Office (ICO) fined Marriott £18.4 million for the carried out by the government rather than by cybercriminals is
breach, citing General Data Protection Regulation article 32, that none of the millions of valuable records were sold on the
which specifies that organizations servicing EU residents must dark web; this was not a simple plundering expedition. [1]
take necessary measures to secure personal data.
So, what would be the motivation for the attack? According
Keywords — Marriott Attack, GDPR, Legal implications,
Incident Response, Privacy and Security. to government sources, it was part of a larger Chinese operation
to collect enormous amounts of data on American government
I. INTRODUCTION employees and intelligence officers; Marriott is the largest hotel
provider to the US government and military. Stolen passport
numbers, in instance, might be used to track people's
On September 8, 2018, Marriott International—the hospitality
movements all over the world. The breach of the Office of
firm in charge of one of the world's largest hotel
Personnel Management's networks, which also resulted in
chains—discovered that cybercriminals had breached its guest
millions of people's data being taken but none of it winding up
reservation system. This Marriott data breach exposed the
on the dark web or being used for fraud, was most likely part of
personal information of hundreds of millions of consumers from
the same campaign. The overarching objective is to build a data
various countries who had booked reservations at the company's
lake of information on American government employees and
Starwood properties in recent years. Marriott incurred
agents that can be analyzed using big data techniques. [1]
enormous recovery costs, legal ramifications, and reputational
damage as a result of the incident.
In retrospect, Marriott had to fight off a bid from Anbang, a
Chinese corporation, when it acquired Starwood. However, by
This breach, which was ultimately caused by existing security
the time all of this happened in 2016, Chinese hackers had
vulnerabilities that remained after Marriott's 2016 acquisition of
already entered Starwood's systems, so it could have been a
Starwood, has since become known as one of the world's largest
coincidence.
cyber incidents, highlighting the importance of prioritizing
cybersecurity during merger and acquisition (M&A) events. In
In February 2020, the U.S. Department of Justice formally
retrospect, businesses can learn a variety of cybersecurity
charged four members of the Chinese military with the 2017
lessons by studying the circumstances of this incident, its
Equifax attack, which resulted in the theft of personally
consequences, and the mistakes Marriott made along the way.
identifiable information from millions of people; the Equifax
attack was explicitly linked to the Marriott and OPM breaches
A. Who hacked Marriott and why? as part of the same larger operation in the announcement of the
indictment. This was an extremely rare step — the US rarely
Consumer data theft is frequently related with cybercriminals accuses foreign intelligence officials in order to avoid
attempting to steal identities or utilize stolen credit card retaliation against American operatives — that demonstrated
numbers. However, stories in the New York Times and the how seriously the U.S. government considered the attack. [1]
Washington Post in December 2018, citing anonymous sources
in the U.S. government, pointed a finger in an entirely other II. TECHNICAL ASPECTS OF THE DATA BREACH
direction: at hackers employed by Chinese intelligence services.
An attacker got physical access to a machine on the Starwood
The Post's and Times's sources had access to more network on July 29, 2014, and deployed a web shell. The
information on the hack than had been made public, and they machine was connected to the internet and had administrative
say the code and attack patterns utilized match up with
 2

privileges since it was running a service that allowed employees Marriott discovered the vulnerability in September 2018,
to make changes to the Starwood website. The attacker installed over two years after the acquisition, thanks to a system security
a Remote Access Trojan (RAT) along with MimiKatz alert. Marriott reported the incident to law enforcement officials
(post-exploitation tool that dumps passwords from memory, as and consulted forensic experts to begin an investigation. In an
well as hashes, PINs and Kerberos tickets) on the system official announcement issued on November 30, 2018, Marriott
through the web shell, giving the attacker access to a shell with revealed the details of the incident to the public. At the time,
root-level privileges on the impacted machine and Marriott revealed that roughly 500 million customers' personal
network-adjacent machines. [2] information from throughout the world, including the United
States, Canada, and the United Kingdom, had been
Simply described, a RAT is a malicious computer program compromised. [2]
that allows the perpetrator to gain unauthorized administrative
access over their victim's technology. A multitude of digital III. PRIVACY AND SECURITY
vulnerabilities at Starwood's properties could have aided the
cyber-criminals' RAT's success. These properties, in particular, A. The Impact of the Marriott Data Breach
were running outdated versions of Windows Server on their
computer systems and remote access via Telnet and Remote The attack compromised almost 500 million guests’ personal
Desktop Protocol (RDP) ports were left open to the internet. records which contained sensitive information including name,
Despite the intrusion within the guest reservation system, address, phone number, email address, date of birth, credit and
Starwood was unable to detect the cybercriminals' activities, debit card details (9.1 million unique credit card numbers
allowing them to go undetected. Starwood had multiple stolen), passport number (23.75 million unique passport
databases: numbers stolen), Starwood Preferred Guest ("SPG") account
information, gender, arrival and departure information,
reservation date, and communication preferences stored in the
 Starwood Preferred Guest member database
brand's global guest reservation database. It's one of the biggest
 Reservation System data breaches in history, second only to Yahoo data breach.
 "Data Warehouse" (analysis and marketing)

Moving forward to September 2016, Marriott completed its

acquisition of Starwood. Marriott failed to conduct a thorough
cybersecurity audit of Starwood's networks and technologies
throughout the acquisition process. As a result, Marriott was
unable to detect the cybercriminals' activity within Starwood's
guest reservation system, allowing them to remain unnoticed
during the acquisition. Furthermore, Marriott was unaware that
Starwood had been targeted by separate attackers in an
unrelated incident in 2015, leaving its workplace devices with
malware. [2]
Figure 1: Number of accounts potentially hacked including
Rather than adopting uniform networks and technologies personal details [7]
following the acquisition, Marriott enabled Starwood hotels to
continue operating as before, utilizing a hacked guest In addition to the exposed data, Marriott faced a number of
reservation system and malware-infected devices. In addition, consequences as a result of the large-scale hack. This includes
Marriott began migrating data from multiple databases stored the following,
within Starwood's guest reservation system. This information
included a variety of customers’ personal details—such as 1. Recovery costs
names, addresses, phone numbers, email addresses, passport
numbers and credit card numbers. As a result of the breach, Marriott incurred roughly $30
million in total recovery costs. This total includes costs
While the data in these databases was encrypted, associated with investigating the cause of the breach, notifying
cybercriminals were finally able to find their related decryption impacted customers of the breach, providing these customers
keys and subsequently unlock the information. The with year-long access to security monitoring software,
cybercriminals then began exfiltrating the information. After developing an international call center in related to the breach,
transporting this information, the cybercriminals then and implementing updated cybersecurity measures to prevent
re-encrypted it in an effort to remain undetected within the future incidents. [2]
system. [2]
 3

2. Reputational damages 3. Failure to implement server hardening:

The server's vulnerability could have been mitigated, for
Aside from the recovery costs, Marriott also received example, through whitelisting. [3]
widespread criticism for its cybersecurity shortcomings after the
incident. In particular, media and IT experts questioned 4. Lack of encryption:
Marriott's failures to perform due diligence on Starwood's For example, passport information was not encrypted.
existing security vulnerabilities prior to the M&A process and
detect cybercriminals' activity after the acquisition was By considering the ICO’s findings, following are several
tools and techniques that could be used to enforce security of
completed, allowing cybercriminals to access and exfiltrate
data and traffic in relation to the Marriott data breach:
customers' personal information for nearly four years. As a
result, Marriott's stock dropped by 5% nearly immediately after
1. Anomaly detection: It might be tough to discover
the company disclosed the details of the hack. Furthermore, the anomalies in an organization's network if they don't
company is projected to have lost over $1 billion in revenue due have a baseline understanding of how it should work.
to diminished customer loyalty following the incident. [2] Anomaly detection engines (ADE) allow them to
evaluate their network so that when breaches occur,
they are notified quickly enough to respond.

2. Data loss prevention (DLP): The human factor is

frequently the weakest link in network security. DLP
technology and policies serve to prevent employees
and other users from misusing and potentially
compromising sensitive data, or from allowing
sensitive data to leave the network.

3. Security information and event management

(SIEM): Getting the proper information from so many
various tools and resources can be tough at times,
especially when the time is short. SIEM technologies
and software provide responders with the information
they need to act quickly.
Figure 2: Marriott's stock dropped by nearly 5% [6]
4. Virtual private network (VPN): VPN security tools
enable secure networks and endpoint devices to
3. Legal ramifications communicate with one another. Remote-access VPNs
typically employ IPsec or Secure Sockets Layer (SSL)
Finally, as a result of the breach, Marriott faced costly legal for authentication, resulting in an encrypted line that
implications from a variety of sources. The Information prevents eavesdropping by third parties.
Commissioner's Office fined Marriott over $120 million for
5. Network Segmentation: By segmenting the network, it
violating British consumers' privacy rights under the General
can be ensured that sensitive data is kept separate from
Data Protection Regulation since the incident affected
the rest of the network, making it more difficult for
individuals from the United Kingdom. [2]
attackers to access the data.

B. Tools and techniques that could be used to enforce 6. Vulnerability Scanning: Vulnerability scanning can be
security of the data and traffic used to identify potential vulnerabilities in the IT
infrastructure. This could be done using commercial or
The ICO's (Information Commissioner’s Office) ruling open-source vulnerability scanning tools.
contains four important findings at a high level:
7. Monitoring and Logging: Monitoring and logging can
1. Insufficient monitoring of privileged accounts: be used to detect any unusual activity on the network
There was a failure to implement continuous network and to provide a record of events that can be used for
and user activity monitoring. According to the ICO, forensic analysis in the event of a security breach.
Marriott should have been aware of the requirement for
additional layers of security. [3] 8. Intrusion Detection and Prevention Systems (IDPS):
IDPS can be used to detect and prevent unauthorized
2. Database monitoring is insufficient access to the network. This could include firewalls,
 4

network intrusion detection systems (NIDS), and 4. Exploitation: Once the vulnerabilities have been
host-based intrusion detection systems (HIDS). identified, the team would attempt to exploit them.
This may involve the use of publicly available exploits
9. Access Control: Access control systems can be put in or the development of custom exploits to take
place to ensure that only authorized individuals have advantage of specific weaknesses.
access to sensitive data. This could include biometric
authentication, smart cards, and multi-factor 5. Post-exploitation: After gaining access to the system,
authentication. the team would attempt to escalate privileges, move
laterally within the network, and exfiltrate sensitive
data. This phase would be critical in assessing the
extent of the damage that can be done once a hacker
has gained access to the Marriott network.

6. Reporting: Finally, the team would produce a

comprehensive report that outlines the vulnerabilities
discovered, the exploits used, and recommendations
on how to remediate the vulnerabilities.

Overall, the Marriott data breach highlights the importance of

continuous security testing and monitoring to detect
vulnerabilities and attacks early. In addition to penetration
testing, Marriott should also implement a comprehensive
Figure 3: Role-Based Access Control [8] security program that includes regular vulnerability
assessments, patch management, employee training, and
IV. PENETRATION TESTING/ETHICAL HACKING incident response planning plan in place to quickly respond to
and mitigate any potential breaches that do occur. It's essential
It is not publicly known what security testing Marriott to adopt a risk-based approach to security that prioritizes the
International Inc. carried out prior to the attack. It is possible protection of sensitive data and assets.
that the organization did conduct some form of security testing,
but it is also possible that it did not identify the specific V. INCIDENT RESPONSE AND DISASTER RECOVERY
vulnerability that was exploited by the attackers. However, we
can discuss the attack from a penetration/security testing Marriott International's response to the data breach in
standpoint based on the available information. The Marriott November 2018 involved a combination of incident response
data breach is a classic example of how a well-planned and techniques and communication strategies. The company's
executed attack can bypass the most robust of security defenses. approach was consistent with industry best practices for
In order to perform a security test on Marriott's IT handling data breaches, but there were also some areas where
infrastructure, a team of ethical hackers would use a the company could have done better.
combination of automated and manual techniques to simulate an
attack. The following are the methods used to respond to the attack:

The methodology for penetration testing Marriott's IT 1. Incident Response Plan: Marriott International had an
infrastructure may include the following steps: incident response plan in place, which allowed them to
respond to the breach. The plan included a team of
1. Planning: Define the scope of the penetration test, experts who could assess the scope of the breach,
including the systems and applications to be tested, contain the breach, and begin the process of notifying
and the methods to be used. customers and relevant authorities.

2. Reconnaissance: The penetration testing team would 2. Forensic Analysis: The company conducted a forensic
use a combination of publicly available information analysis of its systems to identify the source of the
and passive reconnaissance techniques to identify breach and to determine the extent of the damage. This
potential vulnerabilities in Marriott's IT infrastructure. analysis allowed them to identify the specific data that
This may involve identifying the operating system, had been compromised and the number of customers
web server, and applications running on the Marriott affected.
servers.
3. Communication Strategy: Marriott International
3. Scanning: The team would then use automated tools developed a communication strategy to inform
like Nessus or OpenVAS to scan for known customers and the public about the breach. The
vulnerabilities in the Marriott's IT infrastructure. strategy included press releases, website notifications,
 5

and direct communication to affected customers. The was hit with multiple class-action lawsuits in North America,
company also set up a call center to address customer one of which requested $12.5 billion in damages, or $25 for
concerns. Marriott was also offering victims in the each harmed customer. [5]
USA, the UK, and Canada a free, one-year
subscription to WebWatcher to help protect against ICO again fined Marriott $23.8 million (down from the
identity fraud. original penalty of $123 million) for failing to meet GDPR
security standards. The ICO claims that Marriott failed to
4. Technical Measures: The company took technical "implement necessary technological or organizational
measures to mitigate the effects of the attack, such as measures" while processing data, though it also acknowledged
resetting passwords, improving system security, and that Marriott has since taken the proper measures to improve
enhancing monitoring of its systems. security. Notably, the original fine of $123 million would have
been one of the biggest GDPR penalties, representing for
The company's strategy had some positive impacts, such as around 3% of Marriott's total revenue. [5]
containing the breach and notifying customers in an effective
manner. The company also provided customers with free Marriott will most likely survive this data breach financially.
identity theft protection and credit monitoring services for a Customer satisfaction ratings, on the other hand, fell in 2019,
year. However, the impact of the breach was still significant, as putting the brand level with Hilton and suggesting that the
the company faced legal challenges, reputational damage, and breach may cause more long-term damage on guest loyalty.
potential financial losses. According to studies, about a quarter of Americans will stop
doing business with a firm that has been hacked, while more
In terms of best practices found in the literature, Marriott than two in three people trust a company less after a data breach.
International's response was consistent with industry standards,
such as having an incident response plan in place and 1) GDPR Violation
conducting a forensic analysis. However, there were some areas
where the company could have done better. For example, the The ICO fined Marriott in 2018 for violating Article 32 of the
company could have notified customers more quickly after GDPR, however the ICO also mentioned problems in Marriott's
discovering the breach. Additionally, the company could have compliance of Articles 33 and 34 that were not ultimately
taken more proactive measures to secure customer data, such as included in the final penalty. [11]
implementing multi-factor authentication and data encryption.
Article 32: Article 32 requires that any stored information that
The strengths of Marriott International's response included can be used to identify a natural person be safeguarded with
their identification of the breach and their effective adequate security measures such as encryption and access
communication with customers. The weaknesses included a control procedures. The ICO discovered 1) a lack of monitoring
lack of proactive measures to prevent the breach and delays in privileged accounts and database activity, 2) a lack of
notifying customers. encryption-at-rest for certain classes of data (passport numbers
being one), and 3) a lack of strict access control policies on a
Overall, Marriott International's response to the 2018 data server with personally identifiable information during their
breach was a combination of effective incident response investigation. Previous sanctions for violation of article 32
techniques and communication strategies, consistent with include a Euro 27.8 million fine imposed by the ICO on British
industry best practices. Airways in 2020 and a Euro 12.3 million fine imposed on
Vodafone Italy by the Italian Data Protection Authority in 2020.
VI. LEGAL AND ETHICAL ISSUES
Article 33: According to Article 33, in the event of a likely
A. Legal issues security breach, the data controller shall notify an authorized
body within 72 hours, unless there are valid reasons for the
As a result of this data breach, Marriott received severe delay. The ICO said that, while the Marriott waited until they
penalties. Multiple class-action lawsuits were filed against were certain that a breach had occurred to notify, the GDPR
Marriott for failing to undertake due diligence on Starwood's IT clearly stipulates that the data controller must inform whenever
infrastructure. Along with the lawsuits, Marriott agreed to pay they suspect a breach, even if they are not certain. The fine did
for passport replacements for customers who were affected by not take this ruling into account. [11]
the data leak. [5]
Article 34: According to Article 34, in the event of a data
Separately, the Information Commissioner's Office (ICO) of breach, the controller shall notify data subjects in clear language
the United Kingdom, a consumer rights watchdog, fined and within a reasonable time that their data may have been
Marriott over $120 million for violating British consumers' compromised. While the Marriott responded quickly, the ICO
privacy rights under the General Data Protection Regulation noticed a few small flaws in its communication with subjects,
since the incident affected individuals from the United such as forgetting to include a phone number for their call center
Kingdom. Following the announcement of the breach, Marriott
 6

in the email they sent out. These minor faults were also not taken that some of the affected persons, depending on their
into account in the fine. [11] circumstances, were likely to have suffered anxiety and distress.

VII. CONCLUSIONS AND RECOMMENDATIONS

B. Ethical issues
A. Recommendations
The Marriott data breach in 2018 raised several ethical issues
related to data privacy and security. Some of these issues By reviewing the ICO's list of shortcomings, we can prepare a
include: list of recommendations for Marriott's security and privacy
group. We can make the following recommendations in
1. Responsibility of the organization: Marriott particular:
International was responsible for protecting its
customers' personal and sensitive information. 1. Add monitoring on privileged accounts.
However, the data breach showed that the organization 2. Add monitoring of database activity.
failed to adequately secure its systems, which raises 3. Improve encryption schemes for at rest data.
questions about their level of responsibility and ethical 4. Increased levels of access control on servers with
obligation towards their customers. Personal Identifiable Information (PII).
2. Impact on customers: The data breach resulted in the Implementing the above measures would have either reduced
exposure of personal and sensitive information of 300 the severity of the attack or allowed quicker identification.
million customers, including passport numbers, credit These are all common processes at huge IT businesses where
card details, and other sensitive data. This breach of data is crucial to their business strategy, but data protection
privacy had a significant impact on the customers, who rules sometimes go by the wayside at companies like Marriott.
were now at risk of identity theft and financial fraud.
In addition to the above mentioned measures, following
3. Lack of transparency: Marriott International initially recommendations can be made for Marriott International to
failed to provide sufficient information about the contain and manage the impact of future data breaches:
breach, which made it difficult for customers to take
the necessary steps to protect themselves. This lack of 1. Implement a robust incident response plan: An
transparency is considered unethical, as it places the incident response plan should be in place to respond
customers at a disadvantage and undermines their trust quickly and effectively to data breaches. The plan
in the organization. should include a team of experts who can assess the
scope of the breach, contain the breach, and notify
4. Responsibility for third-party vendors: Marriott relevant authorities and customers. The plan should be
International outsourced its IT services to a third-party tested and updated regularly to ensure its effectiveness.
vendor, and it is still unclear who was responsible for
the breach. This raises questions about the ethical
responsibilities of organizations to ensure that their
third-party vendors are following appropriate security
protocols to protect sensitive data.

C. Affected other individuals and organizations

It is unclear what other organizations may have been

affected by the Marriott data breach in 2018. However, it is
likely that any individuals whose personal information was
compromised could potentially have financial, reputational, or
identity theft concerns. Additionally, financial institutions that
issued the affected credit cards may have had to bear the costs of
reissuing cards and covering fraudulent charges. Government Figure 4: Incident Response Cycle [10]
agencies responsible for safeguarding citizens' passport
numbers may also have been impacted. It is also possible that
other organizations that the affected individuals do business 2. Strengthen data security measures: Marriott
with could have been impacted by the data breach, as their International should implement strong data security
personal information may have been used in future attacks. measures to prevent data breaches from occurring in
the first place. This includes implementing
On top that, ICO's ruling also specifies that despite Marriott's multi-factor authentication, data encryption, access
assurances and mitigation measures, the Regulator determined controls, and regularly patching vulnerabilities in its
 7

systems. These measures should be aligned with breach. The question shouldn’t be “if” there will be a
industry best practices and standards such as the cyberattack – but when.
National Institute of Standards and Technology
(NIST) Cybersecurity Framework.
B. Conclusion
3. Enhance employee training and awareness:
Employees are often the first line of defense against The 2018 Marriott data breach was one of the largest data
cyber-attacks. Marriott International should provide breaches in history, affecting up to 500 million customers. The
regular training and awareness programs to employees breach was a result of unauthorized access to the Starwood
on the importance of data security and the potential guest reservation database, which contained sensitive
risks associated with cyber-attacks. This includes information. Marriott's response to the data breach was initially
training employees on how to recognize and report criticized for being slow and inadequate. The breach was
suspicious activity and phishing attempts. discovered in September 2018, but it was not until November
that year that Marriott publicly disclosed the incident. In
4. Conduct regular risk assessments: Marriott addition, the company's response to customer inquiries and
International should regularly conduct risk concerns was considered poor, as it took several weeks for
assessments to identify potential vulnerabilities and Marriott to set up a call center to handle customer inquiries. In
risks to its systems and data. The assessments should the aftermath of the breach, Marriott has taken several steps to
identify areas where security measures can be improve its cybersecurity measures and restore customer
improved, and ensure that security controls are confidence. This includes offering affected customers free
effective and aligned with industry best practices. identity theft protection, implementing additional security
measures, and conducting a comprehensive review of its
systems and processes. The Marriott data breach highlights the
importance of robust cybersecurity measures and prompt
communication with customers in the event of a breach. It also
emphasizes the need for organizations to prioritize the
protection of customer data and take all necessary steps to
prevent future breaches from occurring. As data breaches
continue to be a significant threat to businesses and individuals,
it is essential for all organizations to remain vigilant and invest
in cybersecurity measures to protect against such incidents.

REFERENCES

[1] J. Fruhlinger, “Marriott data breach FAQ: How did it happen and what
was the impact?,” CSO Online.
https://www.csoonline.com/article/3441220/marriott-data-breach-faq-ho
Figure 5: Risk Assessment Roadmap [9] w-did-it-happen-and-what-was-the-impact.html. [Accessed:
24-Mar-2023].
5. Improve incident communication and response: [2] K. Young, “Cyber case study: Marriott data breach,” CoverLink
Marriott International should improve its incident Insurance - Ohio Insurance Agency.
communication and response process to ensure timely https://coverlink.com/case-study/marriott-data-breach/. [Accessed:
and effective communication with customers, 14-Apr-2023].
regulators, and other stakeholders. This includes
[3] P. Donn, “The data breach that cost Marriott £18.4 million - what went
setting up a communication plan to inform customers wrong,” Data Protection Network.
and stakeholders about the breach, providing regular https://dpnetwork.org.uk/data-breach-costs-marriott-18-million/.
updates, and addressing customer concerns promptly. [Accessed: 13-May-2023].

[4] D. Daniels, “14 Network Security tools and techniques to know,”

On top of that, Marriott International should look for Gigamon Blog.
software vendors who adhere to stringent standards for modern https://blog.gigamon.com/2019/06/13/what-is-network-security-14-tools
regulatory frameworks such as SOC-2, GDPR, PSD2, and PCI -and-techniques-to-know/. [Accessed: 11-Jul-2023].
compliance. The first priority of Marriott International's IT
[5] “Marriott Data Breach FAQ: What Really Happened?,”
team should be to encrypt guest data and set up alarms to Hoteltechreport.com.
quickly notify when a potential security breach occurs. Legacy https://hoteltechreport.com/news/marriott-data-breach. [Accessed:
IT must be updated; ensure that the most recent version 12-Jun-2023].
of software is installed on all devices. Patches and new fixes are
[6] N. Rovnick, H. Kuchler, and C. Hodgson, “Marriott breach potentially
frequently included in security upgrades as the threat landscape exposed data of 500m guests,” Financial Times.
evolves. Also, Marriott International should have a plan in place https://www.ft.com/content/1a4a5dea-f492-11e8-9623-d7f9881e729f/.
for communicating with customers as soon as they detect a [Accessed: 27-Mar-2023].
 8

[7] “Marriott Breach Exposes Weakness in Cyber Defenses for Hotels,”

Bloomberg.com.
https://www.bloomberg.com/news/articles/2018-12-14/marriott-cyber-br
each-shows-industry-s-hospitality-to-hackers. [Accessed: 21-Apr-2023].

[8] “RBAC vs. ABAC access control: What’s the difference?,”

DNSstuff.com. https://www.dnsstuff.com/rbac-vs-abac-access-control.
[Accessed: 19-Jun-2023].

[9] “Security risk management assessments,” Searchinform.com.

https://searchinform.com/infosec-blog/2019/09/20/security-risk-manage
ment-assessments/. [Accessed: 10-Jul-2023].

[10] “The cyber incident response lifecycle,” Axaxl.com.

https://axaxl.com/fast-fast-forward/articles/the-cyber-incident-response-l
ifecycle. [Accessed: 28-Jun-2023].

[11] P. Biberstein and S. Rajesh, “GDPR Case Study: Marriott International,

Inc,” Brown.edu.
https://cs.brown.edu/courses/csci2390/2021/assign/gdpr/pbiberst-srajes
h1-mariott.pdf. [Accessed: 20-Jul-2023].

View publication stats