In one of the largest data breaches in history Marriott, the world’s largest hotel chain has revealed that the private information of up to 500 million guests which was contained in its Starwood reservation system may have been compromised. The information on the data breach came to light in September 2018 when an internal security tool alerted management that there has been an attempt to access the data. On further investigation it appears that unauthorized access to the information had been happening since 2014.
Marriott acquired Starwood in 2016 and stated that the breach had ‘only’ affected Starwood and not the Marriott hotels as that reservation system is on ‘another network.’
Scale and scope of data breach startling
The scope of the data breach is not only startling due to the numbers of guests that have been affected, it is the amount of time that the hackers had had access to the data.
“Other than the sheer number of records compromised, this breach stands out even more because of the dwell time by the attacker within Marriott’s networks. The illegal access has been active since 2014!” commented Pravin Kothari, CEO of cloud security vendor CipherCloud. “Marriott apparently learned of the data theft on November 19, 2018.This is all too often the case with most large-scale breaches – even current industry averages within the U.S. of about 100 days are way too long.”
According to Marriott around 357 million guests are now faced with hackers having access that could include their names, email addresses, mailing addresses, phone numbers, passport details, date of birth, gender, as well as information about their check in and checkout times. Some customers have also had their credit and debit card information compromised. The scope of the breach is simply staggering.
And this may just be the beginning as Tim Erlin, VP, product management and strategy at Tripwire, commented that, “Right now, we’re at the front end of the breach response process, but we should expect that there’s much more to learn about this incident. It’s not unusual for the scope of a breach to expand after the initial disclosure. It’s extremely unusual to have discovered the full extent before public announcement is made.”
Encryption keys at risk
Compounding Marriott’s woes was the fact that the company could not confirm that the organization’s encryption keys used to protect credit card numbers may has also been compromised. Marriott stated that it could not “rule out the possibility” that encryption keys were taken by hackers, allowing access to a treasure trove of valuable payment and credit card data.
According to Michael Thelander, director of product marketing at Venafi, a leading provider of machine identity protection, “The admission that encryption keys may have been stolen is alarming, but unfortunately not uncommon. The dangers are very real: I’ve heard Red Team members say the first thing they do, on achieving access to a network, is locate the SSH-enabled servers and prod at the default locations for host and client keys.
“Without constant visibility into the location of the keys and certificates that protect machine identities, there’s no way of knowing what systems are vulnerable, where pivots have occurred, and where new attacks will be pointed.
“Session logging might tell where SSH keys were used while the attackers were in the network, but there’s a real possibility that keys could have been exfiltrated in parallel with the data. If that’s the case, we may not know it happened until newly-decrypted payment card data begins to drive new fraud schemes.”
Given the potential value of the treasure trove of information there has been speculation that the hacking was the work of a nation-state player intent on tracking the movements of diplomats, military representatives, influential business executives or even spies. However, even if this is not the case the value of the data on the black market would represent a significant return on investment for the hackers.
Marriott vague on detail
Although the hotel chain has stated that they have taken steps to limit the damage, the statement issued by Marriott is short on detail. The company stated that an ‘unauthorized party’ had been able to ‘copy and encrypt’ information on the reservation system and had attempted to remove it – but it did not reveal how much data had actually been removed. The company has set up a website for customers who are worried that their data has been compromised and it is taking steps to contact customers in the U.S., Canada and the U.K via email to keep them up to date with developments. Marriott will also be supplying guests with a years’ subscription to WebWatcher – a digital security service.