Marriott data breach highlights basic failings

Marriott International, which is the latest hotel group in a long and growing list to admit to a personal data breach, has warned guests that a database of its Starwood division has been compromised and that up to half a billion records may have been exposed.

The group said in a statement on its website that it has taken measures to investigate and address the security incident affecting reservations at Starwood properties between 2014 and 10 September 2018, which could have serious repercussions for the business in terms of fines for breaching data protection regulations around the world.  

This means the hotel group has taken 20 days to alert those affected by breach while it has conducted an investigation to determine what occurred.

Simon McCalla, chief technology officer (CTO) of Nominet, said the fact that it took Marriott 4 years to identify the breach paints a grim picture of the security system they had in place and how susceptible they were to threats from outside the business.

“Ensuring threat monitoring and security systems are able to catch threats when they first interact with your critical systems is vital. Proactive defence is better than retrospective,” he said.

Joseph Carson, chief security scientist at Thycotic, said the breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU’s General Data Protection Regulation (GDPR), which imposes financial penalties of up to €20m or 4% of annual turnover. 

The hotel group said it has not yet completed identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests.

For approximately 327 million of these guests, the information includes some combination of name, postal address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” the hotel group said.

For the remaining guests, the information was limited to name and sometimes other data such as postal address, email address or other information.

Security commentators have described the compromised information as a potential “goldmine” for cyber criminals to commit fraud and other crimes, and said the breach should serve as a “wake up call” for all businesses to take the security of customers’ data more seriously.

“This follows the trend we have seen in the attacks against the aviation industry this year. These, and the related travel and hospitality sectors, process and store huge amounts of high-value personal information such as passport numbers, credit-card details and more,” said Aatish Pattni, regional director for UK and Ireland for cyber security firm Link11.

Marriott said it reported the incident to law enforcement, that it continues to support their investigation, and has already begun notifying regulatory authorities.

The hotel group claims that it “moved quickly” to contain the incident and conduct an investigation with the assistance of “leading” security experts. Marriott said it has set up a dedicated website and call centre to deal with guest enquiries.

Marriott began sending emails on 30 November 2018 to affected guests whose email addresses are in the Starwood guest reservation database, offering free credit monitoring for a year.

Security commentators say the breach once again underlines the importance of protecting highly sought after personal data and highlights some basic security failings, such as not keeping encryption keys in a separate location from the data resources they unlock.

Matt Middleton-Leal, Netwrix’s general manager for Europe, said the fact that Marriott has admitted that it is possible that the hackers also took the information needed to decrypt it points to the encryption keys being stored on the same system.

“This is a very basic mistake, which appears to have had disastrous consequences for the hotel group. Added to which, it seems that this breach may have dated as far back as 2014, which suggests that the organisation’s detection capabilities are lacking.

“It’s crucial that companies are able to monitor user behaviour, detect anomalies and terminate suspicious sessions in real-time. Organisations entrusted with a wealth of personal and financial data belonging to their customers have a duty of care to protect this. They can and must do better to avoid basic security failings leaving their customers open to fraud,” he said. 

Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, said the incident appears to be one more data breach related to insecure web applications.

“Many large companies still do not even have an up-to-date inventory of their external applications, let alone conducting continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. Obviously, one day such an approach will fail.

“Regulations, such as GDPR, do not necessarily help. In the past two years, many companies were over-concerned to comply with GDPR on paper, ignoring practical security requirements due to limited budget and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cyber security and privacy,” he said.

Other commentators said the breach also underlines the security implications that come with mergers and acquisitions.

“In this case, when Marriott acquired Starwood, it needed to treat the newly acquired infrastructure, applications and systems as a business-critical risk until such they can identify and map the new, expanded attack surface and prioritise risk reduction,” said Simon Roe, product manager of Outpost24.

“Use all the tools at your disposal – vulnerability scanning, application security tools, third-party penetration testing. And while we had no idea how security was handled before and after the merger, given the length of time of the attackers had access before, and after, it’s easy to assume that something has gone amiss during the transition,” he said.

Marriott International acquired Starwood in 2016, including brands such as W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Fortunately, Marriott-branded hotels use a separate reservation system, which means Marriotts are not affected by the breach.

Bimal Gandhi, CEO at Uniken, said this breach underscores the “sheer folly” of continuing to rely on outdated security methods such as using personal information in authentication, given the sheer proliferation of stolen and leaked personal data now available on the dark web.

Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well

“Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well. Hotels, hospitality companies, banks and e-commerce entities are all moving to newer ways to enable customers authenticate themselves across channels, without requiring any personal data.

“Customer-facing commerce and financial institutions seeking to thwart credential stuffing are increasingly seeking to migrate beyond personal data authentication to more advanced methods that do not require the user to know, manufacture or receive and manually enter a verification factor to eliminate the ability for bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network

“Invisible multifactor authentication solutions that rely on cryptographic key-based authentication combined with device, environmental and behavioural technologies provide just such a solution. By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks,” he said.

A spokesperson for the National Cyber Security Centre said: “We are working with partners to better understand the data breach affecting Marriott International and how it has affected customers.
 
“The NCSC website includes advice for people who think they have been affected by a data breach, including guidance on suspicious phone calls and targeted emails that can be sent after a data breach.
 
“We also recommend that people are vigilant against any suspicious activity on their bank accounts and credit cards and contact their financial provider if they have concerns.”