The Marriott hotel chain’s Starwood reservation system has been breached for the past four years, with attackers stealing 500 million guest records including names, payment card information and other PII.
The attackers copied and encrypted a range of data from guests using its reservation system, the company said. The Marriott IT team discovered the breach on 8 September, 2018 when the cyber-criminals attempted to remove data from the US system. This event led to a further investigation which uncovered that the long-running operation had been in place since 2014.
Marriott acquired Starwood Hotels in 2016, indicating the malware was already in place and not yet discovered prior to the deal closing. Commenting on the difficulty of cyber-security due diligence in an M&A, Bruce Potter, chief information security officer at Expel in an email to SC Media UK said; "It feels like Yahoo! all over again. A huge brand gets bought by another huge brand and then they find the company they acquired had a long-running breach. While the details are certainly different, it underscores how cyber-security is part of the risk equation when companies acquire other companies. It’s much harder to understand the cyber-security risk you’re acquiring than it is to audit financial statements when you buy another company."
Steve Malone, director of security product management at Mimecast concurs saying that this incident brings into question future confidence of M&A security due diligence. "Caveat emptor takes on new meanings when the costs of breach remediation are factored in. Customers of Marriott should look to change their password and be extra vigilant for suspicious emails, texts or phone calls, as this stolen information could easily be used for targeted social engineering and impersonation attacks."
"Starwood was no stranger to data breaches, having been hit in 2015 with POS malware affecting 1,275 properties in the U.S. and Canada.
The initial investigation revealed that the cybercriminals had duplicated and encrypted the database. By Nov. 19, Marriott’s security team, working with outside consultants, had partially decrypted enough of the file to determine the extent of the damage.
For 327 million people, the compromised information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences, the company said.
Another batch had payment card numbers and payment card expiration dates exposed, and even though the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), Marriott believes it is possible the malicious actors were able to obtain the two components needed for full decryption. The remaining breached records contained only names and possibly mailing and email addresses.
Noting how this aspect of customer service is overlooked by a service oriented industry, Andy Barratt, UK managing director of cyber security consultancy Coalfire, said: "There is a legacy IT epidemic in the hotel industry and the Marriott hack encapsulates all the challenges that the sector faces. Hotels tend to have limited resources apportioned to IT and limited cyber security expertise, yet are focused on offering customers a seamless purchasing process – one that happens digitally more often than not. Data security is a fundamental expectation and needs to be viewed as part of the service offered to customers."
"We deeply regret this incident happened," said Arne Sorenson, Marriott’s president and CEO. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
Refering to the potential GDPR implications, Adam Brown, manager of security solutions at Synopsys said: "In line with protocol, the breach has been reported to the Information Commissioners office - this would need to have been no later than 72 hours after their data protection officer was aware of the breach being real. Of the half a billion data subjects that have been breached, many will be EU citizens which is why the ICO has been alerted under GDPR rules.
Of the 327 million for whom personal data has been leaked, that data is stated as encrypted. However, this isn’t offering any protection since the means to decrypt have also been obtained. This could either be due to unsafe key storage or use of inappropriate encryption mechanisms.
"To avoid such breaches going undetected firms should implement sufficient logging and monitoring of their data as per OWASP’s new #10 of the OWASP Top 10. To avoid such breaches in the first place firms should implement a software security initiative, a good observation of what mature firms do in this regard can be seen in the freely published BSIMM study."
Enza Iannopollo, Forrester, adds: "The Marriott breach has the potential to trigger the first hefty GDPR fine. The ingredients are all here: the volume of personal data exfiltrated, more than 500 million customers, the sensitivity of the data, potentially including customers' passport details, name, address, and even encryption keys, and the length of the breach which started in 2014. The effort here is not just about evaluating technical controls and establishing what didn't work for so long.
"Marriott will have to clarify also how they managed M&A due diligence - since the breach happened within Starwood systems and started before that acquisition, whether they manage customers' personal data as the GDPR requires and this question alone might determine the future of their business, considering the four percent of global revenue potential fine that comes with violation of the rules. This breach will also certainly trigger customers' group action which will further threaten the future stability of the business.
"Finally, we wait to see how Marriott will communicate this breach with their customers. If the breach response is not up to clients' expectations, the further damage to the brand will be impossible to remediate."
Matt Walmsley, EMEA Director at Vectra notes that: "With more than two months between the initial detection time on 8th September 2018 and public disclosure of the breach, depending on what they knew and when, the disclosure window may contravene the GDPR 72-hour notification requirement.
With regards to the breach itself, exfiltrating the data inside encryption may have been an attempt to circumvent security controls such as data loss prevent systems. Having systems watch for exfiltration like behaviours, rather than trying to inspect the data payloads can provide a way for handling this challenge.
"It’s not yet clear exactly what tool flagged the attack but it’s reasonable to believe, based upon their publish description, that it was only detected late in the attack lifecycle. Attackers generally have to make multiple steps and behaviours before they are able to steal or manipulate behaviours. Therefore, detection of these early stage behaviours is key.
The reason we are seeing so many data breaches this year is because we are leaving a time where companies really face no penalties for poor storage and protection of data - apart from reputation loss - and a future world where organisations will be fined enormous sums for allowing data to leak says Kevin Curran, senior IEEE member and Professor of Cybersecurity at Ulster University, adding: "People are also in a semi-state of ignorance (or deliberate ignorance) of safe computing practices. A recent report stated that cyber-crime damage is to hit US$6 trillion (£4.7 trillion) annually by 2021. Cyber theft is simply becoming the fastest growing crime in the world."
How did such a major breach at such a large organisation go undetected so long? David Atkinson, founder of Senseon suggests that even companies that have implemented security tools that monitor for attacks often find that they cannot differentiate between unusual activity and genuine threats. "This in turn means that a huge volume of alerts are raised, requiring manual investigation from human analysts.
"These false positive alerts can waste time and distract attention away from investigating genuine threats. It would be surprising if none of Marriott’s security tools had detected this attack over the past four years, but the alert may not have been prioritised amongst all of the noise, causing the security team to miss it."
Ryan Wilk, VP at NuData Security, a Mastercard company moves on to the discussion about response, reminding all companies transacting online that their systems are never entirely safe from breaches. "These can happen at any time, and companies need to have their post-breach process ready. This plan includes the implementation of a stronger verification framework so they can still correctly authenticate their good users despite potentially stolen credentials.
"This sort of data exposure is why so many organisations – from the hospitality sector through to eCommerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics that identify customers by their online behaviour thus mitigating post-breach damage as hackers are not able to impersonate individual behaviour."