|
I worked for Marriott for a long time (on the tech side). They have no distain for computer science, it's not "run by business majors", and there is no shortage of security experts. They were one of the more on the ball technology and security operations _for a company of that age and size and legacy_. The company as a whole placed huge focus, resources and energy on information security from well before I joined - it was one of the most risk averse groups I've worked for. The incident took place on the Starwood network (they bought starwood, a completely separate company with completely separate infrastructure), and this issue was discovered post acquisition and during the long running integration program (starwood had 2 breaches previously, so I guess it's not surprising). From what I've seen, if it wasn't for the controls implemented as part of the integration which formed part of Marriott's standard risk-averse approach to security generally, it probably wouldn't have been found for another 4 years. It's complicated, and 99% of the "damn fool corporates and their evil ways!" comments are completely off the mark because they don't have the context. The reality is that integrating another business is unbelievable difficult. Managing the (now significantly higher) infosec risks more so. You inherit a landscape with monsters you don't know about, and you still have to own whatever pops out. It's a really, really bad thing to have happened - make no mistake. And in time, the full story will out and opinions can be reached based on facts. Maybe they did screw it up. Maybe they could have done stuff differently. I don't think it's like equifax with a clear cut cause and effect, but a reasonably complicated ecosystem steeped in legacy systems opaque dependencies that is really hard to change. It seems to be this generally accepted thing that whenever there is a huge breach, some people (aside from the person doing the breaching) have been utterly negligent, ignored all the obvious and really quite simple (I mean, just encryption all the things, amirite? duh!) and should be rounded up and shot at dawn. Perhaps - just perhaps - it's something that wasn't a result of negligence, and just wasn't foreseen because hard stuff is hard. Hindsight really does create the most impressive armchair strategists. (no, I don't still work there. I left a few years ago. no, I don't think they're perfect. no, I don't think all corporations are evil incarnate looking to steal our data, only some of them.) |