Marriott International has agreed to pay a $52 million fine for cyber-negligence resulting in data breaches affecting over 300 million of its customers worldwide, representing a fine of less than two cents per customer.
The US Federal Trade Commission and attorney generals from 49 states ran parallel investigations into three data breaches which took place between 2014 and 2020. Cybercriminals were able to steal the passport information, payment card numbers, loyalty numbers, dates of birth, email addresses plus personal information from hundreds of millions of customers.
The FTC says that poor data security practices resulted in the breaches at Marriott and its subsidiary Starwood Hotels & Resorts Worldwide. Within the next six months, Marriott has been ordered to establish, implement, and maintain a comprehensive information security program to protect its guests’ personal information. The international hotel giant is also now required to monitor the new safeguards annually, using a vulnerability management program that also discovers vulnerabilities that have been identified by outside cybersecurity sources.
For $140 any cybercriminal can hack into hotel Wi-Fi
For at least a decade, the cybersecurity industry has been warning business travelers to avoid using public Wi-Fi in locations such as Marriott hotels. Malicious hackers have long regarded expensive business hotels, such as those that make up the Marriott chain, as honeypots of users’ personal data. Hacking into hotel guests devices is simplicity itself for anyone with $140 on a device known as a ‘pineapple’. The ‘pineapple is freely available on the ordinary internet and can be hidden in an ordinary attaché case.
Quite simply, the ‘pineapple’ enables its owner to substitute his or her own wifi connection for that offered by the hotel without the guests being aware of the switch. The device then enables its owner to observe all the online activity of the guests, thus opening the door to fraud, theft, extortion, blackmail and industrial and state espionage.
Despite the FTC-imposed fine and its requirement for Marriott to upgrade its cybersecurity, organizations must still warn their staff to avoid public Wi-Fi networks when traveling, as hotel lobbies remain honeypots for determined threat actors.
