Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
net/publication/344045076
CITATIONS READS
0 83
1 author:
Jaswanth Gudibandi
Vasavi College of Engineering
3 PUBLICATIONS 0 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Jaswanth Gudibandi on 02 September 2020.
Possible A statistic about the type of the attack or about the case
Phishing, PoS study company’s industry.
Breach After obtaining the necessary credentials, the attackers installed a malware
at the Point of Sale Cash registers. Most of these attacks happen in the
restaurant business as in this case. 60% of PoS transactions are made via
credit card which gives the attacker a critical chance of obtaining a lot of
credit info.
A report from 2017 shows that 84% of PoS breaches are in the Hospitality
industry.
Company description
Marriott International is an American hospitality company founded in 1927,
headquartered in Bethesda, Maryland, US. It is the largest hotel chain in the world
with a total of 30 brands in 131 countries. With 21 years in the Fortune 500 list,
Marriott international holds 151 rank in the list as of 2019. Marriott International is
known widely for its luxurious hotels and rich customers.
From a root beer stand to the world’s largest hotel chain, Marriott International's
story is a true inspiration for many entrepreneurs.
In the investigation, Marriott found a Remote Access Trojan along with MimiKatz, a
password matching tool in its network. Marriott was charged with 123 million dollars
fine by the GDPR. A lot of individual law suits are also filed against Marriott
International. The total cost of the breach may reach up to 1 billion dollars.
Nov 2015: Starwood Hotels report the breach with a total of 50+ hotels impacted by
2 the breach.
Sep 2016: Marriott International acquires Starwood Hotels for 13 billion dollars and
3 maintains the same IT system. But the staff responsible were laid off
Timeline
Company Name Attack September 2018: internal security tool flagged as suspicious an attempt to access
4 the internal guest reservation database for Marriott's Starwood brands. Marriott
launches an internal investigation
Nov 2018: Marriott reports the breach with a total loss of 500 million guest records
5 including Ph numbers, Credit Card data, names, etc.
Jul 2019: Marriott was fined with 123 million dollars GDPR fine and potentially much
6 more is expected to be paid.
February 2020: Marriott reports another breach in tow of its hotels by possible
7 phishing schemes.
Overall Summary Vulnerability #1 Vulnerability #2
Employee Education Log Analysis, Detection
Marriott International Summary Summary
reported that it was Employee details were Attackers encrypted the data
breached in November estimated to be obtained via in Marriott’s servers which
2018. The breach was phishing. Marriott did not made it harder to detect in
believed to have begun reveal a lot of details about the logs. Although it was finally
in 2014 when the hacked attack and this was the picked up, the breach was
system was a part of deducible conclusion from its already going on for about
Starwood Hotel’s. CEO’s words four years by the time it came
Following the merger, to notice.
Marriott did not
Vulnerabilities integrate the system to
a central security system Vulnerability #3 Vulnerability #4
and rather maintained No centralized Security Absence of Defense In
the same systems as System Depth
before. The attackers
Summary Summary
used RAT, and MimiKatz
Even though Marriott was Absence of proper in-depth
to obtain the guest list
aware of the previous attacks safety measures allowed the
along with their travel
on the system, they decided to attackers to access potentially
details and credit card
use the same hotel’s system valuable customer information
details. The keys to
instead of making a undetected for many years.
credit card encryptions
centralized security system.
were also believed to be
This resulted in late detection.
breached.
Costs Prevention
• 123 Million Dollars in GDPR fines • Maintaining and securing the PoS cash registers
• A total estimate of 1 billion dollars as overall costs • Auditing the Starwood IT system after acquisition
• Marriot agreed to provide the compensation for a new • Integrating the Starwood IT system with a centralized
specific requirements.
None of the Info was put up for sale on the Dark web
View publication stats