The Marriott Data Hack: What SAP Cybersecurity Lessons Can We Learn?

Apr 11, '19 by Joerg Schneider-Simon

As 2018 drew to a close, another high-profile data hack hit the news: This time, the victim was hospitality giant Marriott. The breach was initially thought to have affected up to 500 million people, with their personal data — including millions of passport numbers — being stolen from the hotel chain’s Starwood branch and its guest reservation system. Shares in Marriott fell 20% in a single quarter and an investigation was launched.

Not the way any company wants to finish up their year.

And while our readers may be familiar with the term Schadenfreude, meaning to take pleasure in another’s misfortune, we prefer to gain Weisheit, or wisdom from incidents such as these. The Marriott breach gives all businesses strong motivation to take a good hard look at their cybersecurity practices. So, what lessons can we learn from Marriott’s misfortune, and how do those lessons apply to SAP?

3 Cybersecurity Lessons from the Marriott Breach

Always Assume Intrusion

Three things are certain in life: death, taxes, and your business being the target of a hacking attempt. A 2015 survey indicated that 80% of U.S. companies had been successfully hacked to some degree or another. With the looming growth of AI-powered data theft, that number shows no signs of decreasing.

Despite these numbers, many companies may still operate under the assumption that they’re unlikely to be the target of a cyberattack, especially if they have a lower public profile than large B2C players like Marriott, Equifax, or Target? As it turns out, cyberattackers are just as busy targeting the public sector, healthcare, education, and manufacturing, according to the 2018 Verizon Data Breach Investigations Report.

The takeaway? Every company should be proactive and assume that their network AND their SAP system are under attack. Regular penetration testing can pinpoint security vulnerabilities, while stringent permission controls help minimize the risk of malicious insider attacks. Companies also need to be aware that OS-level anti-malware programs will not be able to scan SAP systems or files, so separate solutions are needed to keep SAP safe.

Perform Due Diligence During Mergers and Acquisitions

Marriott acquired Starwood in September 2016, with Starwood’s customer data and loyalty program being a major attractor.

The problem? The Starwood hack had been ongoing since 2014 — but wasn’t uncovered by Marriott until four years later.

Had Marriott performed due diligence by investigating and inquiring about Starwood’s cybersecurity practices (and demanding copies of any testing results), they would have discovered Starwood’s alarming cybersecurity history, such as Russian botnet servers hosting domains, an SQL injection bug on the Starwood website, and a successful hack on Starwood’s point-of-sale systems.

As detailed in our July 2018 blog, cybersecurity due diligence during mergers and acquisitions is of the utmost importance. This applies particularly when partnering with companies operating SAP systems, as few companies have information security staff with specific SAP expertise and experience. If this is the case, security patches may not have been applied properly or regularly — or in a worst-case scenario, responsibility for SAP cybersecurity may have fallen through the cracks, with no clear ownership of those duties.

Prepare for Tougher Regulations

Preparing for GDPR was a lot of work — and it’s just the tip of the iceberg. Senior tech-industry executives like Apple CEO Tim Cook and CEO Marc Benioff have called for similar legislation to be enacted in the U.S. IBM’s CEO Ginni Rometty has called the current environment a “trust crisis,” as more and more large corporations are revealed to be careless (or worse) with consumer data.

Depending upon the political climate, these exhortations could fall upon receptive ears. Already, several U.S. Democratic senators have indicated their displeasure with the recent spate of data breaches and are talking about tougher data privacy laws to help protect sensitive consumer information. While these rumblings are still nascent, they point toward a likely outcome: A GDPR-like law in the U.S. that will bring the hammer down on any companies that do not take every reasonable step to protect their data. Companies should begin preparing now, bolstering their cybersecurity teams and auditing their data gathering/storage protocols (remember: the file data stored by SAP is not stored in traditional disk file systems, so it will need special attention).

The common theme in these lessons? Companies need to step up their cybersecurity game. In this higher-risk environment, the status quo is no longer enough. Organizations need to dramatically increase their vigilance by implementing strict (and strictly enforced) cybersecurity policies and processes, if they hope to avoid being the next one to make the evening news for all the wrong reasons.

New Call-to-action