Marriott International has confirmed a data breach to the Starwood guest reservation database which has seen the details of up to 500 million guests stolen. On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. The hotel company then engaged security experts to help determine what occurred. It learned during the investigation that there had been unauthorised access to the Starwood network since 2014. On November 19, 2018, the investigation determined that there was unauthorised access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.
While the company has not finished identifying duplicate information in the database, it believes that for approximately 327 million guests, the data includes a combination of name, address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). However, there are two components needed to decrypt the payment card numbers and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President and Chief Executive Officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward. Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
One of the most concerning aspects of the breach revolves around the financial information. “Marriott has stated that it had encrypted the credit card information but that it’s possible that the hackers also took the information needed to decrypt it, which points to the encryption keys being stored on the same system,” said Matt Middleton-Leal, Netwrix’s General Manager EMEA. “This is a very basic mistake, which appears to have had disastrous consequences for the hotel Group. Added to which, it seems that this breach may have dated as far back as 2014, which suggests that the organisation’s detection capabilities are lacking. It’s crucial that companies are able to monitor user behaviour, detect anomalies and terminate suspicious sessions in real-time. Organisations entrusted with a wealth of personal and financial data belonging to their customers – in Marriott’s case, this appears to include names, passport details, dates of birth and credit card information belonging to a staggering 500 million people – have a duty of care to protect this. They can and must do better to avoid basic security failings leaving their customers open to fraud.”
“There are a few elements that stand out about the Marriott International data breach,” added Dan Panesar, VP EMEA, Certes Networks. “Firstly, the sheer scale of the breach: data from 500 million customers has been compromised which makes it one of the biggest of its kind. Secondly, the fact that the attacker was able to access the network since 2014, with no unusual activity detected or any alerts of the hacker’s access being raised. Thirdly, the compromised data includes a combination of names, passport numbers, account information, date of birth and more, and despite payment card information being encrypted, insight from the breach shows that there is the possibility that the encryption keys had also been stolen. This means that not only have the hackers been able to steal data, but also potentially the methods to decrypt that data, making it a very serious situation. It highlights once again that it’s a case of when, not if, a data breach will occur.
“The mindset of organisations across all sectors needs to change; they need to focus on securing data, rather than the network, and building Information Assurance strategies rather than security strategies,” continued Panesar. “The technology is available, it’s just a case of organisations recognising that securing data is no longer a ‘nice to have’ – it’s essential. Stealth Layer Four encryption decouples the encryption from the underlying transport network and forms a secure overlay. Using this secure overlay approach for protecting data in motion now means a much more consistent level of security over any transport, including into the cloud, can be achieved. Furthermore, it starts customers on the journey of segmenting the network and applications which makes it harder for hackers to achieve lateral movement, even after they are able to infiltrate the perimeter defences. It leaves people wondering how many more high profile breaches need to occur before organisations really start to make changes, or if they will wait to become the latest brand to deal with the devastating consequences.”
“What’s interesting about this incident is that it raises into question future confidence into M&A security due diligence,” said Steve Malone, Director of Security Product Management at Mimecast. “Caveat emptor takes on new meaning when the costs of breach remediation are factored in. Customers of Marriott should look to change their password and be extra vigilant for suspicious emails, texts or phone calls, as this stolen information could easily be used for targeted social engineering and impersonation attacks.”
“It looks like one more tremendous data breach related to insecure web applications,” observed Lia Kolochenko, CEO and founder of web security company High-Tech Bridge. “Legal ramifications for Marriott and its subsidiaries can be tremendous, from harsh financial penalties from authorities in many countries to individual and class-action lawsuits from the victims.”
“This is not the largest data breach by any means, although 500 million is no small number and potentially a very sensitive data breach,” noted Kevin Curran, Senior IEEE Member and Professor of Cybersecurity at Ulster University. “The sensitive data stolen in this breach can be used by criminals for identity theft where they could convince targeted individuals to give up vital, personal information, like a password or access to banking sites. The more convincing a phishing email is – the more likely someone is to reply to it.
“The reason we are seeing so many data breaches this year is simply an indication of where we are in time. We are situated between a time where companies really face no penalties for poor storage and protection of data – apart from reputation loss – and a future world where organisations will be fined enormous sums for allowing data to leak. People are also in a semi-state of ignorance (or deliberate ignorance) of safe computing practices. A recent report stated that cybercrime damage is to hit US$6 trillion annually by 2021. Cyber theft is simply becoming the fastest growing crime in the world. Gartner reports that this rising tide of cybercrime has pushed cybersecurity spending to more than US $80 billion in 2016. A major problem is that there is a severe shortage of cybersecurity talent with unfilled cybersecurity jobs to reach 1.5 million by 2019.”