Another breach from Marriott. This time, from a franchise property. Apparently they discovered a large amount of information was being accessed by two employees. They disabled the accounts and investigated. It appears that some personal information, though not financial data, was accessed. I assume there is still some active work being done here, but no update in almost two months.
I ran across this on Bruce Schneier's blog, where he questions if Marriot is taking security seriously. It's a fair question, especially after Marriot had a huge breach in 2014. Do we think that a second data breach is grounds for questioning security. I certainly think it is, because anyone that has had an incident should be extra careful.
In this case, I'm not quite sure this is a sign of lax security. The disclosure notes that employee credentials were used at a franchise property. Does this mean that the employees inappropriately accessed data? Or that someone got employee user/pwd data and used it from a franchise property? In either case, this is mostly on the franchisee, and also difficult to detect. We could argue that 45 days is too long for suspicious activity to take place, and I think it is.
If this occurred off Marriott property, or from non-franchisee equipment that connected to the wifi at a hotel, then I think Marriot has not taken security seriously. I know employees get new phones, laptops, etc., but any access from a new device ought to have some security associated with it. I know when I connect to Redgate resources, there is some 2FA, along with requiring the user/password combination. If this isn't in place, that's a huge issue.
Certainly getting employee credentials might be possible from observation. If employees log on, anyone watching, or surreptitiously recording the process, could get credentials. That alone shouldn't be enough to log on, and if it is, Marriott (and their franchisees) aren't taking security seriously. If this was employee misbehavior, however, that's more difficult to track. I'd hope that employees can't get lots of guest data in a short period of time, and there are monitoring systems in place to track large (or frequent) database queries.
The bottom line here is Marriott likely needs more security, and probably deserves some larger fine here. Not having more GDPR-like regulation in the US might make this hard, and I hope the US starts to better protect the humans whose data is being processed by companies. They certainly should have strong physical security, which many hotels might not have. I've certainly encountered plenty of unoccupied front desks (and concierge desks) at hotels late at night. Perhaps Marriott needs better, and more frequent, pen testing by humans against their systems at franchisee locations to ensure they have implemented enough security.