Data Breach Report
docx
keyboard_arrow_up
School
University of Maryland Global Campus (UMGC) *
*We aren’t endorsed by this school
Course
300
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
9
Uploaded by MegaWalrus3764
1
2
3
Data Breach Incident Analysis and Report
Phelan Holsapple
11/21/2023
UMGC CSIA 300 7380
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4
Introduction
Padgett-Beale, Inc. (PBI) has recently gone through a cyber insurance
audit.
CyberOne Business and Casualty Insurance Ltd. sent auditors to
evaluate PBI’s processes, plans and security policies. This audit came back
stating PBI was unequipped to handle a data breach. Due to this, CyberOne
has implied they will not reinstate PBI’s policy until PBI establishes an effective
data breach plan and response policy. Cyber insurance is vital to the protection
of PBI and our customers because it protects the company’s assets and
reputation. Knowing how important cyber insurance is to the company, an
internal task force has been created to tackle these requirements.
Cyber insurance is as important to businesses as medical insurance is
to human beings. Cyber insurance helps cover cyber risks like “privacy risk,
operational risk, security risk and service risk” (Burke, 2023).
An example of a
privacy risk is an unknown threat obtaining customer personal information such
as their birthdate and using it to cause harm to our customers.
A security risk
can be explained as anything that can endanger the privacy, virtue, or
usefulness/ availability of data. Operational risk describes any processes that
derail the operation of a business. Finally, a service risk as it relates to cyber
security is something put in place to stop a company from being able to provide
services that are normally offered.
5
These risks are covered by four types of insurance agreements. These
agreements include network security and privacy liability, media liability,
network business interruption and omission and errors. (Burke, 2023).
Network security and privacy liability is probably the most important insurance
agreement for all businesses. It helps cover network security failures such as
malware/ransomware, data breaches, cyber extortion, and email compromise.
Ways that other insurance companies provide network security include
“forensic investigations, regulatory defense expenses/fines, litigation
expenses, business interruption, crisis management expenses, cyber extortion,
and betterment”
(Travelers Insurance, n.d.)
as listed on Travelers cyber
insurance page. This type of insurance is vital to protect the company in case
we are breached in a similar fashion to the Starwood Hotels owned by Marriott.
Analysis of Starwood Hotels by Marriott Data Breach
The incident that is being analyzed is the data breach of the Starwood
Hotels that was reported by Marriott in 2018, years after they purchased this chain.
Marriott International reported a data breach of Starwood Hotels guest reservation
database on November 30, 2018. This breach could have contained the information
of nearly 500 million guests. The data accessed was a combination of Starwood
Preferred Guest (“SPG”) account information, name, mailing addresses, email
addresses, phone number, passport number, gender, date of birth, arrival and
departure information, communication preferences and reservation date. Some
6
people’s information included encrypted payment card numbers and payment card
expiration dates. (Mariott International, 2018). The initial cyber-attack happened in
2014, while Starwood was still an independent company, but went undiscovered until
September 8, 2018 (Marriott International, 2018). "Starwood brands include W Hotels,
St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels &
Resorts, and other hotel and timeshare properties” (Gressin, 2022).
Unfortunately for
Marriott even though the breach happened long before they acquired the Starwood
Hotels chain, they were held responsible for the breach and a timely reporting of the
breach.
Marriott incurred charges equally 18.4 million pounds from the United
Kingdom’s Information Commissioner's Office (ICO) for not protecting personal data
in accordance with the General Data Protection Regulation (GDPR). As cyber
reporter for BBC Joe Tidy stated “The ICO report makes clear Marriott beefed up the
security of Starwood's IT systems far too late and the hackers had free rein to move
around, cherry-picking the data that would sell best on criminal forums” (2020). The
ICO seemed to be stating that it was Marriott’s responsibility to evaluate Starwood’s
databases and cyber security systems directly after purchasing them to ensure the
security of customer’s Personal Identifying Information (PII). To ensure that PBI does
not incur the same fees or issues that Marriott faced, PBI should begin using cyber
security best practices.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
7
Cyber Security Best Practices
Now we can focus on some best practices for updating PBI's data breach
response policy and plans, focusing on people, processes, policies, and technologies.
People:
The first way PBI can improve cyber security and human interactions
is by training employees in best practices. This includes knowing policies and
processes for dealing with cyber information including PII. Another way PBI can
improve in this area is by notifying appropriate parties of breaches when they happen.
These parties include law enforcement, other businesses and affected individual
customers (Data Breach Response: A Guide for Business, 2023).
Policies:
Policies are general guidelines to follow in the daily operation of the
business. One policy connected to cyber security should include encrypting data as it
is collected. Another policy should be updating and maintaining software security
(PaySimple, 2023).
Processes:
Processes are detailed, step by step instructions of what to do in
case of a cyber security attack. The first process should be to how to secure
operations within the cyber and physical properties. An example of this would be
being able to shut down electronic operations and have a hard copy or physical
alternative to use when the electronics are shut down. Next there should be
processes for fixing vulnerabilities. These processes should tie in with the
technologies that are being used by PBI seamlessly (Data Breach Response: A Guide
8
for Business, 2023). While it is impossible to know vulnerabilities in the system until
they are found PBI should be able to use our current systems to fix them when they
are found.
Technologies:
One technology that can be used to prevent cyber-attacks is
multi-factor authentication. Another form of technology that helps stop cyber-attacks
is multiple firewalls. Both technologies will improve PBI’s cyber safety.
Summary
To review the issues that we have addressed include the importance of cyber
insurance, how data breaches have affected one of our competitors - Marriott
International, and the cyber security best practices we need to implement at PBI.
These best practices include training employees in cyber security policies and
procedures and notifying other parties if a breach were to happen.
Suggested
policies to be used included encrypting collected information and the maintenance of
software security. Procedures that were suggested were knowing how to secure
operations and how to fix vulnerabilities. Finally, some suggestions for technology
included multifactor authentication and firewalls. If these suggestions are followed
PBI will be well on its way to being cyber secure.
9
References
BBC News, & Tidy, J. (2020, October 30). Marriott Hotels fined £18.4m for data breach
that hit millions.
BBC News
. https://www.bbc.com/news/technology-54748843
Burke, D. (2023, October 25).
Cyber 101: Understand the basics of cyber liability
insurance
. Woodruff Sawyer. https://woodruffsawyer.com/cyber-liability/cyber-
101-liability-insurance/
Cyber Liability Insurance | Travelers insurance
. (n.d.). https://www.travelers.com/cyber-
insurance
Data Breach Response: A Guide for business
. (2023, August 10). Federal Trade
Commission. https://www.ftc.gov/business-guidance/resources/data-breach-
response-guide-business
Gressin, S. (2022, June 2).
The Marriott data breach
. Consumer Advice.
https://consumer.ftc.gov/consumer-alerts/2018/12/marriott-data-breach
Marriott International. (2018, Nov. 30).
Original Notice from November 30, 2018.
https://starwoodstag.wpengine.com/wp-content/uploads/2019/05/us-en_First-
Response.pdf
PaySimple. (2023, June 6).
How To Prevent Data Breaches: 12 Best Practices
.
PaySimple. https://paysimple.com/blog/how-to-prevent-data-breach/
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help