Marriott International Data Breach

Risk Assessment and Reflection of the Marriott
International Data Breach
Abstract— Recent world events have business leaders
reassessing the risk priorities to a higher level as information has
become a critical asset to various organisation’s. Therefore,
identifying and preventing the loss of information is becoming
very essential. Presented in this paper is a proposed risk
management methodology and the main risk management plan
for Marriott International in regards to the data breach
incidence of Starwood Hotels & Resorts which happened in early
September 2018. Marriott International is a multinational
hospitality company that manages a broad portfolio of hotels and
related lodging facilities. It acquired Starwood Hotels & Resorts
in 2016. The data breach caused the exposure of over 500 million
customer records, including passport numbers, travel details and
credit card numbers. The breach went on for four years between
2014 to 2018, before and after the acquisition of Starwood Hotel
by Marriott International in 2016. Marriott was also fined almost
£100 million for breaking privacy laws. This paper uses the
Marriott International Data breach as a case study to
retrospectively perform a risk assessment, risk analysis and risk
treatment on Marriott International by comparing both the
and ISMS approaches.
ACCORDING to Pearl Zhu (2018) “Sense and deal with
problems in their smallest state, before they grow bigger and
become fatal.” When a company gets hacked, there is a hit
to the trust customers have in the service. For a firm as large
as Marriott International there is a question of if this might
dissuade travelers staying at one of its facilities? Although in
the short term this may give some consumers ‘pause for
thoughts,’ but in the long run how the company manages the
situation and prepare ahead for the future will determine the
fate of the company.
Marriott International is the third largest hotel chain in the
world. It is a multinational hospitality company that embraces
diversity. It has a portfolio of hotels and other lodging
facilities within its franchise. The number of rooms being
managed by the company is estimated to be over 1,500,000
rooms (Wikipedia, 2020) and It has its presence in 131
countries across the globe. As part of its thirst for expansion,
in 2016, Marriott International purchased Starwood Hotels
and Resorts.
The Marriott -Starwood was one of the biggest Cyber attacks
and the most talked about in the hospitality industry in 2018.
Records of 500 million customers who had guest reservations
at Starwood hotels and Resorts were compromised. The
breach cost the company over £100 million in fines for
breaking privacy laws and also affected the company’s
An internal investigation conducted by Marriott revealed
that the breach was discovered when a security tool flagged
an unusual database query. The entry logs from the audit of
the database were linked to an employee with administrative
privileges but on further investigation, it was discovered that
the employee was impersonated and personal information
were cloned. In technical details, the attacker was able to
infiltrate the system by placing a (RAT) – Remote Access
Trojan (a malware program that creates a backdoor for
administrative control over a target machine) and Mimikatz
(an exploit tool for sniffing passwords from memory as well
as PINs and hashes) on the Starwood server and succeeded
with the exploit for four years unnoticed.
Analysing this breach propels some thoughts as to how this
could have been mitigated.
For a big acquisition between Marriott – Starwood, due care
and due diligence
on Starwood’s information security could
have mitigated this breach. For example, an application
security assessment performed by an ethical hacker could have
detected vulnerabilities in the application.
Also, they could have performed a risk assessment on
Starwood in order to understand the existing systems and
identify risks through the analysis of the information gathered
using either ISMS or FAIR or both methodologies.
The Information Security Management System (ISMS) has a
purpose of providing a business risk approach, for
establishing, implementing, monitoring, reviewing,
maintaining and continuously improving information security
through ISO 27001 (the international standard for creating and
maintaining an ISMS). While the FAIR model breaks down
the various factors of a risk analysis in such logical and
practical terms.
Keywords- Information Security, Risk Management, Information Security
Standards, Information Security Risks, ISO 27001, FAIR, Breach, Risk, Threat
and Vulnerabilities

ISMS is a set of guidelines and policies which explains the
controls an organization needs to implement to ensure that it is
protecting the confidentiality, integrity and availability (CIA)
of assets from threats. It also helps in providing a centralized
framework, on how people, policies, systems and controls
identify technology led threats revolving around valuable
information and related assets.
It is an internationally recognized structure
and methodology.
It helps to protect an organization’s information assets in
order to ensure business continuity and minimize
business damage.
It has a defined process to evaluate, implement,
maintain and manage information security.
It helps in effective and efficient security planning
and management.
It has tailored policies, procedures, standards
and guidelines.
It creates an increased trust, credibility and confidence
of customers and partners.
It is compatible with other standards, for example ISO
9001 (Quality Management Systems – requirements) and
ISO 14001 (Environmental Management Systems –
specification with guidance for use).
The ISMS process adopted in this paper is tailored for
Marriott International. Developing an ISMS requires that we
know these key things listed below:
A. Organisation
What is the purpose of the organization? What does the
organization require to achieve this purpose? What does the
organization provide to achieve this purpose?
Marriott international is the third largest hotel chain in the
world, it has 30 brands with over
1,500,000 rooms in 131
countries and territories around the world. One of its
objectives is to continue to provide a warm reception and
lodging facilities for its customers.
B. Assets
As used here refers to identifying what the assets of the
organisation are, how it contributes towards the organisation’s
objective and how the assets may be compromised and what it
would have. The Asset Management Standard ISO 55000 defines
an Asset as “an item, thing or entity that has potential or actual
value to the organisation” (ISO, 2014). These can be either
tangible or intangible and can be put in groups of software,
hardware, data, procedures, infrastructure and network and people
being the key asset in most organisation. The key assets for
Marriott International asides from people which would be
discussed later here, are its Database servers, where all customer
records are stored (Names, Mailing address, phone numbers,
Email address, Passport number, Date of birth, Gender, Arrival
and departure information, Reservation date
and communication preference). In the 2018 Marriott
International breach the main area where the breach took place
was the guest reservation database, the attacker was able to
access records of over 500 million customers. Other assets
include hard copy documents such as invoice and receipts,
CCTV cameras, Laptops and desktops, the applications used
by the company, the operating system and employee
information). Listing assets helps clarify what is valuable and
who is responsible for what.
C. People
Hackers prey on humans’ psychological flaws, targeting
them as the “weakest link” in the cyber chain, knowing who
are the people outside, that the organisation deals with? What
impact can the people outside have on the organisation? Who
are the people within the organisation and what are their roles?
What impact can the people within the organisation have can
help mitigate against risk.
The Inside knowledge, how much people know, people
here, referring to employees (both old and present), suppliers
of cleaning services, groceries, IT service providers, for
example technicians managing internet/WIFI services,
Technicians monitoring CCTV cameras, and Technicians
repairing or responsible for systems update can pose some
security challenges and threats.
a) Defining the scope and boundaries of the ISMS
This is about deciding and defining what information that
should be protected. Customers records are treated in line with
the CIA Triad. Sensitive Information such as bank card details
must be kept confidential, uncompromised and available. All
customers and staff records must be kept confidential and
comply with GDPR all Bank card details on company server
must be encrypted and stored in compliance to PCI DSS.
b) Define an ISMS policy
An ISMS policy providing information to employees,
business associates, customers to ensure that all IT users are
aware of their individual obligations in respect of information
security policy. Also, legal, regulatory and contractual
requirement should be taken into account. All information and
systems are protected against unauthorized access and
disclosure. Confidentiality and Integrity are protected and
maintained and all suspected breaches of information security
will be reported and investigated.
c) Define the risk assessment approach
Risk assessment is the process of identifying risks by
analyzing threats to, impacts on and vulnerabilities of
information and information systems and processing facilities
and the likelihood of their occurrence. (
Levels of (CIA triad) and guidance as to when and how
the levels should be applied as shown in the table below:

Low Medium High
This ensures that
only authorized
persons have
access to an
information that is
disclosure of
might have an
effect on
assets or
disclosure of
might have
serious hostile
effect on
assets or
disclosure of
might have
severe little
hostile effect
assets or
Ensuring the
accuracy and
information from
being altered
change of
might have
little hostile
effect on
assets or
change of
might have
serious hostile
effect on
assets or
change of
might have
severe hostile
effect on
assets or
Ensuring that
information and
associated assets
is available for
authorized users
An interruption
of access to
system might
have little
hostile effect
assets or
An interruption
of access to
system might
have serious
hostile effect
assets or
An interruption
of access to
system might
have severe
hostile effect
assets or

Table 1.0 CIA Value Table
d) Identify risks
A risk is a combination of the likelihood and severity that a
specific threat will occur.
In order to be able to identify risk, it is essential to identify
actual or potential threats and vulnerabilities for each asset.
A threat is something that could cause harm and a
vulnerability is a source or situation with a potential for harm.
The assets and identification of risk in this report was derived
subjectively based on assumptions.
The table 2.0 Marriott Risk Identification table in appendix,
shows a list of the assets identified above, the threat and
vulnerability associated to it.
e) Risk Treatment
Risk that are identified to be intolerable, it has to be decided
upon by the organisation how they choose to approach it
through the following:
Risk modification – remove the likelihood of the risk
Risk retention – accept the actual level of risk
Risk avoidance – cancel or modify an activity or
activities related to risk
Risk Sharing – leave for third party to manage the risk
f) Residual Risk
Classified as
the amount of risk that remains after controls are
accounted for’
(Slabotsky 2017). Simply the risk left after the risk
g) Risk Appetite
Is defined as ‘the amount and type of risk that an organisation
is willing to pursue or retain’ (ISO Guide 73:2009).
Figure 1.0 Factors affecting ISMS
Some organisations have also chosen to mitigate security risks
by implementing ISMS using these nine-step approach:
a. Generate a project mandate
b. Initiate the project
c. Adopt a methodology to initiate ISMS
d. Create a management framework
e. Identify baseline security criteria
f. Create a risk management process
g. Create a risk treatment plan / implementation
h. Measure, monitor and review the results
i. Achieve certification
ISO/IEC 27001 describes a general process for the ISMS and
FAIR provides a methodology for analyzing risk. This section
describes how the FAIR methodology can be used to analyze
risk in the context of ISO/IEC 27005 and the ISMS.
“Essentially, all models are wrong, but some are useful”
(Box, 1978). The Factor Analysis for Information Risk (FAIR),
classifies Risk into two major branches; the Loss Event
Frequency and Loss Magnitude and within them are factors
identified to cause magnitude losses. An illustration of this is
captured in Figure 2.0 below.

Figure 2.0 Risk Taxonomy (UWE Lecture slide, 2020)
In FAIR, the risk is “the probable frequency and probable
magnitude of future loss”. When conducting a risk analysis in
FAIR, there are four important stages that are required and
these are listed below:
h) Stage 1

Identify component of the scenario
Step 1 – Identify assets
Step 2 – Identify community of threats under consideration

i) Stage 2

Evaluate Loss Event Frequency (LEF)
Step 3 – Estimate probable Threat Event Frequency (TEF)
Step 4 – Estimate Threat Capability (TCAP)
Step 5 – Estimate Control Strength (CS)
Step 6 – Derive Vulnerability (Vuln)
Step 7 – Derive Loss Event Frequency (LEF)

c) Stage 3

Evaluate Probable Loss Magnitude (PLM)
Step 8 – Estimate worst case loss
Step 9 – Estimate probable loss

d) Stage 4

Derive and articulate risk
Probable frequency and probable magnitude of future loss

The FAIR risk assessment is being used to prioritize risk
issues for metric analysis and development as well as identify
and compare risk mitigation cost benefit propositions.
FAIR articulates risk to decision makers by classifying the
factors that make up the risk, outlining the methods of
measurement and using mathematical simulation models and
computational engines to build and analyse risk scenarios.
See Appendix 2.0 – 2.5 for the Threat, Vulnerability and
Effect assessment Table for Marriott – Starwood.
Using the FAIR-U tool, the full analyses and result is shown
in Figure 3.0, 3.1, 3.2 and 3.3 in appendix 3.0.
Comparing FAIR to ISMS, below are the reasons for
considering FAIR as a preferred option in risk management:
One of the purposes of being in business is to
make profit. FAIR provides a model for analysing
cyber and operational risk in clear financial terms.
It helps to fuel effective and economical
business decision making around risk.
It takes the “guess work” out of risk
management equation.
It breaks down the various factors of a risk
analysis in logical and practical terms.
It is used as a construct for analysing complex
risk scenarios.
Framework such as NIST 800-30 attempts to
measure risk, but fall shorts as they rely on
qualitative scales, FAIR model components are
specifically designed to support risk quantification.
FAIR helps fill the gaps in other risk management
frameworks by providing a proven and standard risk
quantification methodology that can be leveraged.
Conclusively, ISMS provide guidelines for risk assessment but
no methodology hence the choice of FAIR.
Brand and Reputational Damage.
Financial Loss – Fine by GDPR, Compensation fees
to affected customers and Law suits Fees.
Loss of Customers – due to developing integrity
issues with the brand.
Impact organisation bottom line.
The control risks strategies are acceptance, avoidance,
reduction, removal and sharing. Although it is not 100 percent
possible to identify all the risks, but knowing the risk and
setting severity level based on assessment. Given the MarriottStarwood breach, it could have been easily avoided.
Subjectively, the best approach for the future will be to avoid
and reduce the threats and vulnerabilities. Organisations as large
as Marriott are targets for attack due to the size of information
they manage and their financial net worth.
A critical reflection on suitable treatment strategies
addressing the identified risks are listed below:
Before an acquisition conducting due diligence on the
network and IT infrastructure.
Application testing – Vulnerability and Penetration
testing should be carried out at least quarterly.
Install antivirus and Firewall on all systems.
Abide by the data protection act and standards – ISO
27001, ISO 27002 etc.

ISO/IEC-27002 standard mandates that all IT
equipment are kept away from unauthorised person in
a controlled environment.
Constant training of Staff on cybersecurity matters
Implement a network policy using ISO/IEC – 27033.
If an employee’s left the organisation, all access
such as key cards or token should be disengaged.
Have a defined information security policy
in accordance to ISO/IEC 27001
Travel data is rich information, it offers insight into areas of a
person’s lifestyle, tastes and relationship. An organisation as
big as Marriott holding information of over 500 million
customers, an attempt of this type of attack should be
expected to happen. In order to facilitate mitigation against
this breach in the future, subjectively recommend that
Marriott performs a due care, due diligence and risk
assessment on a company network infrastructure when
acquiring or merging with another company.
On critical analyses of this breach using both ISMS and
FAIR, I would suggest the use of FAIR as it does a thorough
analysis of risks from the business perspectives projecting
the likely financial loss in the event of any breach and it also
builds on qualitative efforts to quantify risk.

Appendix 1.0
Table 2.0 Risk Assessment Table for Marriott International
Appendix 2.0
Table 2.0 Threat, vulnerability and effect assessment for People

Threat Vulnerability Effect
Database Server -An
unauthorised access into
the Marriott server where
customers information is
Attacker using
Sophisticated tools
like RAT and
Mimikatz or through
SQL Injection.
Could lead to
potential leak of
Fines from GDPR
Customer Law Suits
Escalation of privileges. Giving access to
member of staff
who shouldn’t, an
attacker might
leverage on this to
gain unauthorised
Could lead to
potential leak of
Fines from GDPR
Customer Law Suits

Table 2.1 Threat, vulnerability and effect assessment for Database Server

Threat Vulnerability Effect
Electronic Devices – Man
in the Middle (MITM)
attack and the
compromising of sensitive
An adversary
interception into
internal network and
manipulating traffic
from devices such
as CCTVs or
Potential leak of
information could
be used as
blackmail or to gain

Table 2.2 Threat, vulnerability and effect assessment for Electronic Devices

Threat Vulnerability Effect
Hard Copy Document –
Such as Receipt or Invoice
with room details and
customer names could
lead to identity theft when
Intruder might be
able to gain
unauthorised access,
to steal valuables
from the hotel or
Could lead to loss
of valuables which
could disrupt future
engagement or
create bad
impression of the

Table 2.3 Threat, vulnerability and effect assessment for Hard copy documents
Appendix 3.0
Table 2.4 Threat, vulnerability and effect assessment for Software Items

Threat Vulnerability Effect
Employee Information –
Identity Theft to gain un
authorized access to
Company information as
the case of Marriott –
Starwood breach
Intruder access to
restricted area.
Access to
confidential data

Table 2.5 Threat, vulnerability and effect assessment for Employee Information
Figure 3.0 Marriott FAIR-U Analysis (Left View).

Figure 3.1 Marriott FAIR-U Analysis (Right View).
Figure 3.2 Loss Exceedance Curve.

Figure 3.3 Simmulation Results Summary.
CSO online (2018) [article] The MArriottt DataBreach and how
it happened Available from:
[Accessed 22 February 2020].
Marriott Data Breach (2018) [online] Available from:[Accessed 20 March 2020].
Midhunnirmal (2017) ISO 27001 ISMS [online] [Accessed 22 February 2020].
Fairinstitute (2020) [online]. Available from: [Accessed 21 March 2020,
Jeff Pollard (2018) Marriott Breach. Available from: [Accessed
NIST.SP.800-53 Risk Management Methodology (2019)
[online] Available from:
[Accessed 21 March 2020].
Resolver [online] Governance Risk and Compliance Available
from: [Accessed 21-03-2020].
Irwin, L. (2019).
What is an ISMS and 8 reasons why you
should implement one – IT Governance Blog
. [online] IT
Governance Blog. Available at:
reasons-why-you-should-implement-one [Accessed 18
March. 2020].
ISO/IEC 27005 Cookbook,
FAIR – ISO/IEC 27005 Cookbook. [online]
Available at:
[Accessed 3 March. 2020].
Information Security Management Systems (2020)
[online] Available from: [Accessed 3 March. 2020].
Julie Ciccone (2019) [online] ISMS Overview Available from: [Accessed 3 March.
Aztec Support (2018) [online] ISMS Policy Available from: [Accessed 1
March. 2020].
Available from:
[Accessed 1 March. 2020].
Wikipedia (2020) [online] Marriott InternationalAvailable
[Accessed 1 March. 2020].
RISCOMATIC (2020) [online] FAIR Risk Management
Available from: [Accessed 20 March
FAIR U NET (2020) [online] Available from:[Accessed 20 March 2020].
Available from: Information Risk Management, University of
the West of England Lecture slide 2020.
ISACA (2011) [online] Planning For And Implementing ISO
27001 Available from:[Accessed 20 March 2020].
The Week (2018) Marriott Starwood data breach: hotel giant
fined almost £100m for breaking privacy laws Available from: [Accessed 20 March 2020].