500 Million records in the Marriot Data Breach
I imagine you have all now read with dismay but possibly not that much surprise at the latest ‘megahack’ over at Marriott Hotels. We’re not going to bombard you with more of the same. Instead, we thought this is a good opportunity to highlight a very unwelcome side effect of these type of breaches.
Be wary of the follow-up emails
So, here’s the thing: You’re a Marriott customer, you read the story and you’re already beginning to worry about what to do next. Then you get an email from, let’s say ‘email-marriotthotels.com’, in the email it apologises for the hack and tells you how to reset your username and password to protect your personal data. Just click on the link below, enter your details and you’ll be 100% safe and protected. Except, this is a spoof email, designed to prey on your panicked state of mind and attack you.. again! Imagine someone gets robbed on the street, a ‘good Samaritan’ arrives to help them up and then steals their mobile that the original robber missed – this is the digital equivalent of that. It was particularly prevalent after last years Equifax hack.
And there’s another twist to this tale – as the excellent creator of the haveibeenpwned website, Troy Hunt points out on an extended Twitter post, Marriott Hotels have indeed sent out a follow up advisory email and as Troy says, their email looks like a phishing email. Read the full story on his Twitter post but for starters, the email account they created comes up with ‘service unavailable’ if you click on the domain name to check its veracity – exactly what you would expect from a spoof email! By the way, it’s well worth checking out Troys’ site to see if any of your email addresses have ever been compromised.
What will happen?
So far little action has been taken against The Marriott, but U.S. Senate’s leading privacy advocate Ron Wyden says a lot more could be on the way for the hotel chain. In talks to Gizmodo he explains that “the company will apologize, proclaim that it values its customers’ privacy, and then offer useless credit monitoring” but then he goes on to imply that the solution to this problem is jail time and fines in the billions (Yes, that is with a B) with Wyden saying “Until companies like Marriott feel the threat of multi-billion dollar fines, and jail-time for their senior executives, these companies won’t take privacy seriously”
How can your business learn from this?
“So, how can my business learn from the Marriott data breach” you ask? Employees are often cited as being the ‘weakest link’ in the cyber security chain. You can change this, instead of them being the weakest link, they can become ‘the first responder’, the frontline in your defense against malicious cyber activity. And one of the ways you do this is by testing them for their susceptibility to phishing emails. But do it in a way that doesn’t point the finger of blame. From that, you’ll gather accurate metrics, allowing you to get the information on what to and what not to do in their heads and set up a positive reinforcement of the message for the future. If this resonates with you, read more about our Phishing Testing or why not give us a call on 020 3653 1234 or email nick.roberts@riskcrew.com