Pyramid Hotel Group Incident

An unsecured database that exposed the security logs — and therefore potential cybersecurity weaknesses — of major hotels including Marriott locations has been uncovered by researchers Noam Rotem and Ran Locar. The database contained 85.4GB of security audit logs, which also included personally identifying information (PII) of employees of the affected companies.

Commentary: A great add on to my article discussing the negative impacts of complexity on risk – now we are at the age where the security tools themselves are the risk factor that directly contributes to the primary information risk to the organization. 2nd order risk in other words.

One good outcome from this incident is that the vulnerability was addressed quickly (within 2 days) when it was reported by the researchers, as opposed to the common reaction by companies when alerted to evade or deny responsibility, if not ignore the report entirely.

Likely Threat(s): ?
Likely Motive(s): ?
Likely Means: 3.x Attack the Applications, 5.x Attack the Servers
Opportunities: Secure Configuration Management, IAM, Pen Testing

%d bloggers like this: