In one of the largest data breaches in history Marriott, the world’s largest hotel chain has revealed that the private information of up to 500 million guests which was contained in its Starwood reservation system may have been compromised. The information on the data breach came to light in September 2018 when an internal security tool alerted management that there has been an attempt to access the data. On further investigation it appears that unauthorized access to the information had been happening since 2014.
Marriott acquired Starwood in 2016 and stated that the breach had ‘only’ affected Starwood and not the Marriott hotels as that reservation system is on ‘another network.’
Scale and scope of data breach startling
The scope of the data breach is not only startling due to the numbers of guests that have been affected, it is the amount of time that the hackers had had access to the data.
“Other than the sheer number of records compromised, this breach stands out even more because of the dwell time by the attacker within Marriott’s networks. The illegal access has been active since 2014!” commented Pravin Kothari, CEO of cloud security vendor CipherCloud. “Marriott apparently learned of the data theft on November 19, 2018.This is all too often the case with most large-scale breaches – even current industry averages within the U.S. of about 100 days are way too long.”
According to Marriott around 357 million guests are now faced with hackers having access that could include their names, email addresses, mailing addresses, phone numbers, passport details, date of birth, gender, as well as information about their check in and checkout times. Some customers have also had their credit and debit card information compromised. The scope of the breach is simply staggering.
And this may just be the beginning as Tim Erlin, VP, product management and strategy at Tripwire, commented that, “Right now, we’re at the front end of the breach response process, but we should expect that there’s much more to learn about this incident. It’s not unusual for the scope of a breach to expand after the initial disclosure. It’s extremely unusual to have discovered the full extent before public announcement is made.”
Encryption keys at risk
Compounding Marriott’s woes was the fact that the company could not confirm that the organization’s encryption keys used to protect credit card numbers may has also been compromised. Marriott stated that it could not “rule out the possibility” that encryption keys were taken by hackers, allowing access to a treasure trove of valuable payment and credit card data.
According to Michael Thelander, director of product marketing at Venafi, a leading provider of machine identity protection, “The admission that encryption keys may have been stolen is alarming, but unfortunately not uncommon. The dangers are very real: I’ve heard Red Team members say the first thing they do, on achieving access to a network, is locate the SSH-enabled servers and prod at the default locations for host and client keys.
“Without constant visibility into the location of the keys and certificates that protect machine identities, there’s no way of knowing what systems are vulnerable, where pivots have occurred, and where new attacks will be pointed.
“Session logging might tell where SSH keys were used while the attackers were in the network, but there’s a real possibility that keys could have been exfiltrated in parallel with the data. If that’s the case, we may not know it happened until newly-decrypted payment card data begins to drive new fraud schemes.”
Given the potential value of the treasure trove of information there has been speculation that the hacking was the work of a nation-state player intent on tracking the movements of diplomats, military representatives, influential business executives or even spies. However, even if this is not the case the value of the data on the black market would represent a significant return on investment for the hackers.
Marriott vague on detail
Although the hotel chain has stated that they have taken steps to limit the damage, the statement issued by Marriott is short on detail. The company stated that an ‘unauthorized party’ had been able to ‘copy and encrypt’ information on the reservation system and had attempted to remove it – but it did not reveal how much data had actually been removed. The company has set up a website for customers who are worried that their data has been compromised and it is taking steps to contact customers in the U.S., Canada and the U.K via email to keep them up to date with developments. Marriott will also be supplying guests with a years’ subscription to WebWatcher – a digital security service.
However, Marriott’s woes might be only just beginning, the inattention that they have paid to data security issues and the enormous scale of personal information that has been lost may very well draw the ire of the regulators tasked with ensuring the compliance of companies with European-wide GDPR rules, Starwood may face significant financial penalties of up to four percent of its global annual revenue if found to be in breach of those rules.
Too little too late?
It seems bewildering (to say the least) that Marriott would not have noticed a security breach that has been continuous since 2014 and has affected around half a billion of their customers. This is the second largest data breach in history – after 3 billion Yahoo accounts were hacked, but far more serious than another unfortunate milestone in data security breaches – when about 150 million Under Armour MyFitnessPal diet and fitness app accounts was compromised. To say Marriott breach demonstrates a lack of focus is to understate the case to an almost ridiculous degree.
There have been cases where companies have engaged in merger activity without being aware of any potential issue regarding data security of the organization that they are purchasing. However, in the case of Marriott and Starwood this may not have been an issue. However, the question remains – was this a case of an enormous failing to perform proper due diligence prior to snapping up Starwood in September of 2016 for $13 billion and creating the largest hotel chain in the world.
Marriott management should have been aware that the Starwood systems were vulnerable. After all, Starwood has been hacked in the past. In 2015, Starwood, along with other luxury hotel brands such as Trump Hotels and Mandarin Oriental, fell prey to credit card breaches. Malware aimed at stealing credit and debit card information was found on payment systems at restaurants and retail outlets in 54 Starwood hotels in the United States. Given this fact the question of due diligence by Marriott must again come under the spotlight.
“We deeply regret this incident happened,” Marriott President and CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Regulators starting their investigations
To say that authorities are not happy about the Marriott data breach is to grossly understate how seriously the matter is being treated.
The Attorney General of Maryland (where Marriott is headquartered), Brian Frosh, tweeted that his office was launching an investigation into the breach.
“The Marriott data breach is one of the largest and most alarming we’ve seen,” Frosh tweeted. “My office is launching an investigation to find out the circumstances that led to the breach and its impact on consumers.”
Barbara Underwood, the Attorney General of New York, als0 tweeted that she had opened an investigation into the breach.
“New Yorkers deserve to know that their personal information will be protected,” Underwood wrote.
In addition, the Federal Trade Commission is likely to investigate the Marriott breach, said David C. Vladeck, former director of the FTC’s Bureau of Consumer Protection and now a Georgetown Law professor. The FTC declined comment.
There can be no doubt that Marriott has been remiss in its approach to data security. The sensitive nature of the data that was subject to unauthorized access, as well as the number of years that such access was for all intents and purposes ignored point to a systemic failure on behalf of the hotel chain. In fact, it could be characterized as gross negligence. One can only hope that Marriott and Starwood take swift action to ensure that a data breach of this kind does not happen again – they certainly fell short of what is required as far as data security is concerned and the reputational and financial implications may very well prove devastating.