Data Breach Incident Analysis & Report

Data Breach Incident Analysis & Report

Data Breach Incident Analysis

Introduction/Overview

According to the recent audit review by Casualty insurance and CyberOne business, the report exposed some serious gaps in the Padgett-Beale incident response plan.  The failure to address these gaps would lead to vulnerabilities that may amount to the loss of the insurance cover from the CyberOne insurance company.  To ensure the company’s future is safe, it is important to ensure that such gaps are covered. According to the audit report, it has been established that the company lacks specific plans in its operating units. As such, cyberOne view is that Padgett-Beale is not ready to effectively respond or prevent the major data breach exploiting the vulnerabilities in its system. The following analysis on the Marriot data breach will help identify the failures and lessons that Padgett-Beale should learn from the costly mistake on its cybersecurity breach.  The business needs to have a cyber-insurance policy to guide its security and safety when dealing with data breaches and network security failures (Trope, 2019). The insurance policy will help PBI since it helps it manage and mitigate cyber risks by implementing a plan, a post, and a pre-breach. Moreover, the cyber insurance cover will help PBI focus on its project and core business since the cybersecurity insurance will cover the cost and damages associated with the security preach.  This cybersecurity report focuses on analyzing the breach to identify the underlying causes, such as the specific data involved in Starwood hotels, finding from the government agencies, such as the court ruling, liabilities, and penalties and a review of the best practices, and finally a summary.

Analysis

Marriot data breach has been termed as the second-largest data breach of all time by industry analysts and reports.  The breach affected more than 400 000 000 million guests for the hotel industry and amount to $3 million in cost (ICO, 2019). The incident that began in 2014 was targeted at personal information used by the customers while booking for hotel services online such as room reservation (ICO, 2019). However, the good news for Marriot is that it had an insurance policy cover that covered the cost associated with the data breach. According to Patrick, the incident has attached potential compliance and regulatory fines and lawsuits; therefore, Marriott will be liable for some of these fees. The report shows that following an intensive investigation, the Information Commissioner Officer (ICO) issued an extensive notice expressing the need to find Marriott International a sum of 99, 2000, 396 euros for infringing the General Data Protection Regulation (GDPR) (ICO, 2019). According to the ICO statement, an organization such as Marriott needs to be held accountable for the sensitive data they acquire and store from customers. Moreover, such organizations need to do due diligence during the corporate acquisition to ensure they have assessable accountability measures that will help identify sensitive and personal data to ensure it is protected (ICO, 2019). For instance, the type of data and information stolen from the database include; passport numbers, email addresses, phone numbers, mailing addresses, and names.

The modern hotel business underpins connecting consumers to the property owners through the online reservation system following the acquisition of the Starwood Hotel & Resort by the Marriot for $13.6 billion; the acquisition proved to be damaging and costly to Marriott (BBC News, 2020). However, during the acquisition, the Starwort Hotel and Resort online reservation system was compromised. Following this event, Marriott assumed the risks and the consequences associated with the data breach. In the current information technology-driven world, the hotel industry is particularly vulnerable to various security breaches.

There were a significant amount of data and information stolen following the security breach.  To Marriot, this will be a cost event torn between cost and legal fines.  Therefore, at this point, it is important to understand how Marriott could have done to avoid this incident. In response to this question, Craig notes that the best action to avoid such an incidence will be to ensure proper auditing software, masking, and encryption (ICO, 2019).

Review of The Best Practice

To help the Padgett-Beale adapt to the changing data breach threats and address the cyber findings associated with the CyberOne Business and Casualty insurance, various recommendations need to be considered. In this regard, Marriott’s failure to identify cybersecurity vulnerabilities during the acquisition of the Starwood Hotel & Resorts indicates that the company does not have a robust incident response policy to identify the data breach (BBC News, 2020). This shows the possible consequences associated with the business using such a system operating in the hotel industry. The following are the recommended best practices and the acceptable solutions processes and policies designed to enhance the data breach policies and plans. Adopting these recommendations will help mitigate the data breach, reduce the risk of a damaged reputation efficiency in responding to data breaches, and mitigate data breach incidence.

People

Ensuring that the staff is properly trained and educated to enhance effectiveness in the data breach response plan. In case the employees are not aware of the policy and plan, they are not well equipped to follow the guidelines and procedures for responding to data breaches. Proper training will ensure that staffs are vigilant and cognizant of signs and indicators of the data breach (Gwebu & Barrows, 2020). Therefore, the Padgett-Beale should conduct quarterly training of its employees to acquit them with policies, plans, and trend in data breach and new security measures.

Process

The company should adopt the principle of least privilege. This principle will apply to systems, users, and processes. The process will only allow a minimum opening or time to perform the required functions (Gwebu & Barrows, 2020).  Using this principle will reduce the risk of the data breach.; therefore, the Padgett-Beale should adopt user accounts with the least principle on privileges. In case the user’s system is compromised, the attacker will only have access to the least privileges.

Policies

Regarding the data breach, both the regulatory and the legal compliance of the business must be addressed in the incidence response plan. The failure to comply with the set guidelines will lead to legal fines, cost, and a damaged reputation. The CIO has a responsibility to ensure that the incident response plan is consistent with the existing policies and plans. It is only through adopting the best practices that will help the company to avoid costly legal proceedings. Moreover, the Padgett-Beale should ensure annual review and update of the policy and make the required recommendations… The company should abide by the Federal Trade Commission’s recommendations, requiring that notification on security breach be issued to victims whose Personal information is affected.

Technologies

Using the right technology can help to increase data breach response. In this regard, the Padgett-Beale should adopt Network Traffic Analysis (NAT) to monitor the data traffic and identify abnormalities and suspicious activities (Gokcen, 2014). A robust firewall can come in handy.  The company should also adopt Endpoint Detection and Response (EDR) to detect and identify data breaches and alert the IT personnel (Hassan, Bates & Marino, 2020).

Summary and Recommendation

In summary, the Padgett-Beale needs to acquire an insurance policy to cover the financial and legal liabilities that may emanate from potential data breaches. Some benefits come with addressing the gaps identified from the CyberOne and Casualty Insurance audit. This includes ensuring timely renewal of the policy to protect the organization from court proceedings and fines. Suppose a business fails to uphold the security, integrity, and confidentiality of the data. In that case, it risks suffering a damaged reputation and legal and financial liability to its customers. PBI lack of specific plans on the company operating units can be avoided through updating the incidence response plan as per the following recommendations: PBI should provide training and awareness to employees quarterly, applying the principle of least privilege to the system, users, and process to mitigate the risks that are associated with data breaches.  Adhering to the legal and regulatory compliance and regular testing and updating the incidence response policy will help the organization be steady and minimize data breach chances. Finally, it is important to enhance the organization’s capability and efficiency in endpoint detection and response and well and Network Traffic Analysis to enhance network security and traffic control.

Data Breach Incident Analysis & Report