On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott engaged security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.
The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using AES-128. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
Here are some reactions Help Net Security received about this incident.
Ollie Whitehouse, Global CTO, NCC Group
Marriott Hotels should have identified this breach through their cyber due diligence of Starwood in 2016 when it acquired the company. As result of buying a breach they will face a number of challenges at a board level around the levels of governance and diligence within the business. Had it performed a detailed compromise assessment as part of its due-diligence activity, the organisation’s board would have been informed of the breach and been able to make a decision based on risk or put other warranties in place.
Since the compromise started in 2014, the breach doesn’t fall under the remit of GDPR. However, the fallout would be incredibly severe under this regulation, and therefore any organisation looking to undergo an M&A deal now or in the future should learn from this example and ensure a comprehensive cyber security and compromise assessments are carried out to inform their understanding of risk.
Matthew McKenna, VP EMEA, SecurityScorecard
Although the Starwood Marriott Merger was completed in September 2016, the aspects of merging organisations of this many brands and complexity operationally, from an IT, risk and security perspective is daunting. The likelihood of exploitable remnants of security vulnerabilities being left behind over the years that could have been exploited is one potential likelihood. Did Starwood and Marriott have clear visibility and oversight of the cyber risk implications of merger early enough to foresee such risk and at a second dimension did they have a strong enough understanding of the risk their supply chain was introducing into the organisation and to the overall security of their data?
With the ever-changing nature of cyber security threats, no company can ever truly guarantee even its own internal security. With the added complexity of connections to third party providers and supply chains, ensuring security becomes an even more difficult task.
Matt Aldridge, Senior Solutions Architect, Webroot
What’s interesting about this incident is that Starwood were breached two years prior to the Marriott acquisition, which brings up the question of “To what extent should Merger & Acquisition due diligence extend to cybersecurity audit, and if indeed this was done at the time, why did it not uncover this issue?” A prior breach is a real risk issue for a company to take on, and needs to be considered. Cyber hygiene needs to be embedded into business processes at all levels.
There’s a risk that this attack may have spread from Starwood systems into Marriott’s systems. It will be interesting to learn more as further details emerge, including whether the encryption keys were also exfiltrated, unlocking the payment cards of millions of Starwood customers. The travel and hospitality industry are a prime target for cyberattacks thanks to the wealth of data they hold – from payment information through to passport detail – which can be used to commit further crimes.
Matt Walmsley, EMEA Director, Vectra
With a real treasure trove of valuable personal information having been lifted, this is undoubtedly going to damage the Marriot Starwood brands, and could have a significant direct impact for their affected customers identity assurance.
With more than two months between the initial detection time on 8th September 2018 and public disclosure of the breach, depending on what they knew and when, the disclosure window may contravene the GDPR 72-hour notification requirement.
With regards to the breach itself, exfiltrating the data inside encryption may have been an attempt to circumvent security controls such as data loss prevent systems. Having systems watch for exfiltration like behaviours, rather than trying to inspect the data payloads can provide a way for handling this challenge. It’s not yet clear exactly what tool flagged the attack but it’s reasonable to believe, based upon their publish description, that it was only detected late in the attack lifecycle. Attackers generally have to make multiple steps and behaviours before they are able to steal or manipulate behaviours. Therefore, detection of these early stage behaviours is key.
This breach also demonstrates that incident response continues to take too long, and in many cases the result is security teams trying to figure out “what just happened, how do we stop it happening again?” rather than spotting, understanding and closing down an attacker earlier in its lifecycle to minimise or stop a breach occurring.
Equally, current manual threat hunting and forensics take too long, and we need to find ways to reduce this. It’s here that automation of some of the tasks, often powered by AI, can significantly reduce the noise of alerts and unrelated information that analysts have to plough through to build up an understanding. In this way, analysts and forensic investigators can augment themselves with automated tools that allow them to act with speed and efficacy that humans alone simply cannot achieve.”
Joseph Carson, Chief Security Scientist, Thycotic
What is shocking about this data breach is that the cybercriminals potentially got away with both the encrypted data as well as the methods to decrypt the data which appears that Marriott have not practiced adequate cybersecurity protection for their customers personal and sensitive information.
The major problem of such data breaches in the past is that those companies who have been entrusted to protect their customer data have only offered up to one year of identity theft protection. But, many of the identity information that is stolen typically can last between 5-10 years such as drivers licenses and passports. So while victims may get some protection, they are at serious risk for years unless they actively replace compromised identity documents which is done at a cost. Companies who fail to protect their customers should be at least responsible for the cost of replacing compromised information and documents rather than deflecting responsibility and accountability.
This latest major data breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU General Data Protection Regulation which imposes financial penalties of 20m Euros or 4% of annual turnover. If you are a customer of the latest Marriott data breach then it is important to know what data is at risk and consider taking extra precautions as well as changing your Marriott account password.
Tom van de Wiele, security consultant, F-Secure
The hack was targeted at a part of the company that Marriott acquired as few years ago, being Starwood. This is a common trend where it’s usually not the main company that is targeted but rather attackers aim to compromise the softer underbelly of the organisation, which are usually IT service providers, contractors and other entities with a high number of interactions within the company. Interactions mean a lot of moving parts to try and control, while other acquisition and fusion efforts are going on. Things like the integration of IT systems and the security thereof take a lot of time between two companies that have to merge requirements, security policies, IT environments, technology stack and company cultures. Some risks are addressed, others are excepted.
The most disappointing part of this hack is the fact that the amount of data stolen is one of the bigger ones of the last few years and further made worse by the fact that the compromise had been going on for at least four years according to several online publications. This indicates that as far as security monitoring and being able to respond in a timely and adequate fashion, Marriott had severe challenges being able to live up to its mission statement of keeping customer data safe.
The real root cause of this might never be known but when looking at other companies that have experienced similar situations – for which F-Secure has performed incident response – the reason for this long detection and response time is usually a general lack of maturity in the detection strategy of the company when trying to find relevant information to track potential incidents.
Being able to prioritise what is important for the business i.e. customer data, and placing detection points at the right choke points while being able to respond to, is absolutely crucial for any company trying to guard and protect customer data of any kind.
Some media have reported the database being potentially encrypted is a good thing. Companies should assume a breach will occur and, with that, assume that their database of valuable information can be stolen by an attacker. Following the defence-in-depth principle, this is the right thing to do – to provide layers of protection or resistance to limit the impact of the attack. But the customers of Marriott and Starwood should still take precautions and not get their hopes up. After all is said and done, encryption and the encryption of data is still dependent on who has the keys to be able to decrypt, or, make the information readable again. Having locks on doors is great, but not if you are only doing it to say that you have locks and keep a key handy under every doormat.
Ilia Kolochenko, CEO, High-Tech Bridge
Looks like one more tremendous data breach related to insecure web applications. Many large companies still do not even have an up2date inventory of their external applications, let alone conducting continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. Obviously, one day such an approach will fail.
Regulations, such as GDPR, do not necessary help. In the past two years many companies were over-concerned to comply with GDPR on paper, ignoring practical security requirements due to limited budget and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cybersecurity and privacy.
Legal ramifications for Marriott and its subsidiaries can be tremendous, from harsh financial penalties from authorities in many countries to individual and class-action lawsuits from the victims.
Kevin Curran, Senior IEEE Member and Professor of Cybersecurity at Ulster University
This is not the largest data breach by any means although 500 million is no small number and potentially a very sensitive data breach. The sensitive data stolen in this breach can be used by criminals for identity theft where they could convince targeted individuals to give up vital, personal infomation, like a password or access to banking sites. The more convincing a phishing email is – the more likely someone is to reply to it.
The reason we are seeing so many data breaches this year is simply an indication of where we are in time. We are situated between a time where companies really face no penalties for poor storage and protection of data – apart from reputation loss – and a future world where organisations will be fined enormous sums for allowing data to leak. People are also in a semi-state of ignorance (or deliberate ignorance) of safe computing practices.
A recent report stated that cybercrime damage is to hit $6 trillion annually by 2021. Cyber theft is simply becoming the fastest growing crime in the world. Gartner reports that this rising tide of cybercrime has pushed cybersecurity spending to more than $80 billion in 2016. A major problem is that there is a severe shortage of cybersecurity talent with unfilled cybersecurity jobs to reach 1.5 million by 2019.
In the wider context, according to the National Crime Agency Cyber Crime Assessment 2016 report, cybercrime accounted for 53 per cent of all crimes in 2015. This percentage is rising steadily each year. We can expect to see cybercrime continue to develop into a highly lucrative and well organised enterprise.
Cyber criminals whether state sponsored or not are even beginning to devote funds to research and development as yet. Criminals are increasingly moving online because this is where the money is. The annual Mary Meekers state of the Internet report for 2017 reports that Network Breaches are increasingly caused by email spam/phishing. In fact spam has increased 350% in one year. The trend for ransomware is also showing worrying trends. Malwarebytes show increase from 17% in 2015 to 259% in 2016. Across the board we are seeing increases in attacks and breaches like Marriott will only make this problem worse.
Geoff Forsyth, CTO, PCI Pal
The fact that Marriott exposed the personal info of approximately 500M guests, with 327M members having their sensitive data including names, contact info, passport numbers, travel information, and potentially credit card numbers exposed, may be just the start of the company’s concerns.
We recently conducted consumer research which found that 83% of consumers will stop spending with a business for several months in the immediate aftermath of a security breach like the one faced by Marriot today. Even more significantly, over a fifth (21%) of consumers will never return to a business post-breach, representing a significant potential revenue loss. To put this in perspective, one fifth of Marriot’s reported $398M in Q1 2018 earnings equates to approx $79.6M.
Add to this the fact that consumers are starting to perceive certain sectors as more risky than others as a result of security breaches such as this one – the same research found that consumers already think the travel sector is the second most risky when it comes to security, after retail.
For consumer facing businesses, these findings should serve as a stark warning to ensure that they are implementing online and voice payment security measures, or face negative, and potentially long-lasting revenue and reputation consequences.
Tom Kellermann, Chief Cybersecurity Officer, Carbon Black
It appears there had been unauthorized access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organization – they’re getting in, moving around and seeking more targets as they go.
The report also found that 50% of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organization’s affiliates, often smaller companies with immature security postures and this can often be the case during mergers and acquisitions. This means that data at every point in the supply chain may be at risk, from customers, to partners, to potential acquisitions.