Last Thursday, Equifax CEO Mark Begor and Arne Sorenson, the CEO of Marriott International, appeared before a US Senate subcommittee to testify about the massive data breaches their companies have suffered.
While Begor’s statement was more about the security measures Equifax has implemented since the breach and the company’s plans to implement more protections and increase security investment, Sorenson’s revealed more information about the actual breach.
The Marriott breach post-mortem
As it was known soon after the breach was made public in November 2018, the attackers gained access to the Starwood Guest Reservation Database in the United States in 2014.
Marriott International acquired Starwood Hotels & Resorts Worldwide in September 2016, but at the time of the breach it had yet to retire it and migrate all of Starwood’s hotels onto Marriott’s reservation system (they finally did in December 2018).
The first indication that something might be wrong was on September 8, 2018, when Accenture, which managed the Starwood Guest Reservation Database, notified Marriott’s IT team about an unusual query from an administrator’s account.
As it turned out, the query was not made by the individual whose credentials were used, and Marriott called in third-party investigators to investigate the scale and scope of the incident.
The investigators first uncovered a Remote Access Trojan used by the attackers, and then MimiKatz (a tool for discovering usernames and passwords in computer systems’ memory).
Proof that data from the Starwood Guest Reservation Database has been exfiltrated was discovered on November 13, when the investigators discovered evidence that two compressed, encrypted files had been deleted from a device that they were examining and that those two files had potentially been removed from the Starwood network.
“Six days later, on November 19, 2018, investigators were able to decrypt the files, and found that one contained an export of a table from the Starwood Guest Reservation Database containing guest data, while the other contained an export of a table holding passport information,” Sorenson explained.
“On November 25 and 26, we found that, in 2015 and 2016, prior to our acquisition of Starwood, the attacker had likely created a copy of two other tables, which the attacker later deleted. The file names correspond to two other tables in the Starwood Guest Reservation Database. We have been unable to recover those files and could not determine if they had been taken.”
Soon after they proceeded with notifying law enforcement, regulators, the public and affected customers.
The scope of the breach
The Marriott mega breach resulted in the compromise of:
- 383 million guest records
- 18.5 million encrypted passport numbers
- 5.25 million unencrypted passport numbers (approximately 663,000 of which from US travelers)
- 9.1 million encrypted payment card numbers.
- Several thousand unencrypted payment card numbers.
“To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility,” Sorenson shared.
He also said that, thus far, they have “not received any substantiated claims of loss from fraud attributable to the incident” and that the security firms they engaged to monitor the dark web have not found evidence that the stolen information has been offered for sale.