4 Lessons the Marriott Data Breach Teaches Us About Cloud Security

5 December 2018 | Posted by Josh Bouk

Marriott International, the world’s largest hotelier, revealed this week that it’d fallen victim to one of the largest data breaches of its kind – exposing the personal data of up to 500 million guests. While not the first high-profile hack to gain notoriety, the circumstances surrounding the breach are distinctive and provide a handful of lessons about enterprise cloud security.

Marriott Data Breach Details

On November 30th, 2018, Marriott International Inc disclosed that its Starwood reservation system had been hacked, in a breach dating back to 2014. The hotelier announced that the records of up to half a billion customers were exposed during this time-frame, with details such as passport numbers, emails, dates of birth, mailing addresses, and credit card information compromised.

It qualifies as the second largest corporate data breach in history (behind Yahoo, which last year announced that 3 billion of its accounts, spread across several of its brands, were affected during a targeted attack). However, the Marriott International data breach is particularly disparaging because it remained undetected for so long, and therefore has the makings of a really BIG problem.

Just hours after the public data breach announcement, the company were already subject to several class action lawsuits. But it might get much worse if affected plaintiffs mirror the techniques of Equifax’s 2017 data breach victims, with further financial repercussions coming via the medium of the small claims court. Additionally, the stock price of Marriott International (NASDAQ: MAR) fell considerably, and, at the time of publication and despite minor recovery, was still down almost 6%.

It’s little wonder that the data breach has caused consternation among enterprise organizations, with many now looking to avoid similar repercussions by getting their cloud security in check. But there are some lessons to be learnt too – here are four of the most important.

1. Security is More Important Than Ever

The rising cost of breaches, increasingly sophisticated hackers, widely available hacking tools, tighter regulations, and harsher repercussions – these are just a handful of the reasons why security must be prioritized by enterprise organizations.

Yet, when it comes to cloud computing, a recent study from Crowd Research Partners found that 84% of organizations say traditional security solutions simply don't work in cloud environments, raising questions about how well prepared organizations are for attacks that target cloud-dwelling resources. 

For organizations that are truly invested in not falling foul of a severe data breach and all the financial and reputational headaches that accompany them, security precautions that specialize in cloud safety must be an essential facet of their security strategy.

Discover how to gain financial control over a more secure cloud environment –  book your free cloud expense & security assessment in just a few clicks.

2. No Company is Safe

Businesses the world over quickly need to take stock of the Marriott data breach and come to terms with the fact that it’s no longer possible to keep criminals out of their networks entirely.

This doesn’t mean abandoning all tenets of traditional defense, as there are plenty of security measures that can be taken to safeguard valuable data. But it does mean accepting that, despite the sheer number of resources expended trying to keep malware and miscreants out, the majority of security defenses can be undone in a heartbeat – and this holds twice as true when regarding cloud security. 

As organizations continue to migrate resources to the cloud to reach new markets, push out new products, and minimize procurement and supply chain costs, a lack of control and visibility over environment security is common, and this can lead to some significant vulnerabilities. For example, a recent RedLock report found that organizations are failing 30% of CIS Foundations best practices, 50% of PCI requirements, and 23% of NIST CSF requirements. While total cloud security is the work of fiction, minimizing the opportunities for bad actors to compromise your systems will pay significant dividends in the future. 

3. Regular Security Audits are Necessary

In business, four years is a really long time. But that was the time-span that Marriott International failed to detect any trace of a data breach, in a blunder that has been referred to as: “shocking and horrifying”.

Effective and comprehensive auditing of assets and resources is essential for the detection and analysis of any unusual activity – aiding in the rapid resolution of any breach. But it also helps to protect against unauthorized access and targeted attacks from occurring in the first place, better safeguarding the environment, and maximizing the integrity of valuable data.

Unfortunately, in enterprise-level cloud environments, this is easier said than done. With multiple geographical locations combined with near-instant spin-up and spin-down of resources, a lack of visibility and control is common and effective policing of the environment can become impossible.

For organizations to perform comprehensive security audits, inclusive of all cloud-based workloads, they must first find a method of identifying and analyzing new resources as they're provisioned and a system of regaining visibility over their cloud.

4. Cloud-Based Resources Should be Prioritized

Marriott has been vilified in the wake of the data breach but, according to Forbes, this isn't necessarily surprising. A recent article states that Marriott International has suffered at least one previously unreported hack, and have failed to secure a string of other security vulnerabilities – notably the use of an easily guessable password for Starwood’s ServiceNow cloud computing service.

Today, public cloud is proliferating and serving as the IT infrastructure of choice to host valuable, mission-critical data. With Gartner predicting the worldwide public cloud services market will grow by 17.3% in 2019, this trend shows no sign of slowing down.

While the public cloud has long been tarnished with a reputation for sub-par security, in truth, the public cloud is at least as secure as on-premises infrastructure, provided it’s properly maintained and monitored. In the future, enterprises that are looking to reduce vulnerabilities, minimize risk, and remove the headaches that accompany data breaches or non-compliance, must look to invest in comprehensive cloud security services.


The Marriott data breach will have severe reputational and financial repercussions long into the future and forever tarnish its otherwise impressive history. For organizations looking to avoid a similar circumstance, a good place to start is with cloud management services (CMS).

Providing both comprehensive cloud security measures and an opportunity for businesses to gain visibility and control over their environment, CMS can deliver significant savings and a more secure cloud environment for your enterprise. To gain an accurate estimation of the value of cloud management services for your organization, book your free cloud expense and security assessment today, and see how we can help you avoid making headlines for all the wrong reasons. 

Free Cloud Assessment: Discover how to minimize risk, recapture visibility, and uncover significant savings

Topics: Cloud Management Services

Get weekly Cloud roundups direct to your inbox.