Marriott International said last week that up to 500 million guests’ information may have been accessed as part of a data breach of its Starwood guest reservation database. The world’s largest hotel chain said it determined on Nov. 19 that an “unauthorized party” had accessed the database as early as 2014. For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Adam Brown, Manager of Security Solutions at Synopsys:
“The world’s largest hotel chain may have just reported the worlds largest hotel guest data breach and the world’s second largest data breach.
In line with protocol, the breacg has been reported to the Information Commissioners office – this would need to have been no later than 72 hours after their data protection officer was aware of the breach being real. Of the half a billion data subjects that have been breached, many will be EU citizens which is why the ICO has been alerted under GDPR rules. Of the 327 million for whom personal data has been leaked, that data is stated as encrypted. However, this isn’t offering any protection since the means to decrypt have also been obtained. This could either be due to unsafe key storage or use of inappropriate encryption mechanisms.
To avoid such breaches going undetected firms should implement sufficient logging and monitoring of their data as per OWASP’s new #10 of the OWASP Top 10. To avoid such breaches in the first place firms should implement a software security initiative, a good observation of what mature firms do in this regard can be seen in the freely published BSIMM study – now in its 10th year: www.bsimm.com”
Satya Gupta, CTO and Co-founder at Virsec:
“What’s most disturbing about this attack is the enormous dwell time inside Starwood’s systems. The attackers apparently had unauthorized access since 2014 – a massive window of opportunity to explore internal servers, escalate privileges, moves laterally to other systems, and plot a careful exfiltration strategy before being discovered. All organizations should assume that the next threat is already inside their networks and won’t be caught by conventional perimeter security. We need much more careful scrutiny of what critical applications are actually doing to spot signs of internal corruption. We must reduce dwell time from years to seconds.”
Rich Campagna, CMO at Bitglass:
“Marriott is not alone in its lack of visibility over its infrastructure. Any organization that acquires another business and its IT assets will be faced with major security blind spots unless the right tools are in place. Marriott should be looking at the infrastructure affiliated with all its prior acquisitions, ensuring that the security controls in place are as effective as possible.
It’s concerning when it takes an organization months, or even years, to recognize that a breach has occurred – it highlights the inadequacy of reactive security solutions. To avoid these kinds of events, organizations must adopt flexible security platforms that proactively detect and respond to new threats as they arise. Ensuring proactive security and remediating threats before hackers have a chance to exploit them is key to securing data.”
Mark Weiner, CMO at Balbix:
“Mitigating the damages of a breach like this is an incredibly difficult task for Marriott, especially since the breach could potentially be one of the largest in history behind the hacking of about 3 billion Yahoo accounts. Companies must rethink their reactive cybersecurity strategies that detect and control breaches in progress or after they happen. At that point, it’s too late. Organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems to detect vulnerabilities that could be exploited—as opposed to those that have been already. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches.”
Stephan Chenette, Co-Founder and CTO at AttackIQ:
“The Marriott Starwood breach stands as potentially one of the largest breaches on record and is another example of a merger and acquisition where testing the resiliency of the current security controls would have assisted in both the visibility of gaps and discovery that Starwood Hotels was already breached.
Data breaches are expensive for everyone involved. Marriott will feel the burden of this breach through fines under GDPR and damage to their reputation, potentially causing customers to turn to their competitors.”
Dan Dearing, senior director of Product Marketing at Pulse Secure:
“Early reports stated that security experts working with Marriott determined that there had been unauthorized access of the Starwood network since 2014.
This type of “lying in wait” threat is driving many IT organizations to rethink how they secure their network to combat hackers who are sophisticated and patient to wait for the big payoff. The new security buzzword that describes how companies can defeat this type of threat is “zero-trust.” Essentially, IT cannot trust anything or anyone inside or outside of their network. Instead, they must deploy security tools that help enable them to always verify who the user is, whether the user is authorized to access the desired application or data, and finally if the user’s laptop or mobile device meets the security standards of the company. Only if all three conditions are met is the user allowed on the network.”
Brian Vecci, Technical Evangelist at Varonis:
“With any major breach like this one, especially one hitting an upscale brand, it’s extremely likely that high-profile individuals have had their information stolen. But it really does not matter if the individual is a C-level executive or a parent taking their kids on vacation to Euro Disney: the damage has been done.
Like the Equifax breach, hackers made off with sensitive information that can’t be changed: names, passport numbers, dates of birth, and more. Now 500 million people are going to have to watch their credit reports and may likely be inconvenienced for the rest of their lives. Many will likely fall victim to spearphishing scams in the months and years to come due to the highly personalized nature of the stolen information.
It’s crazy to think that in this day and age of massive breaches, major brands are spending millions on advertising and customer loyalty programs but failing to protect what matters most: the person data of their most dedicated customers. It’s no wonder why customers continue to grow distrustful and demand regulations such as the GDPR and, now in the U.S., the California Consumer Privacy Act.”
Colin Bastable, CEO at Lucy Security:
“Kudos to Marriott for getting the news out as soon as they learned about the breach. It will be very painful for Marriott’s staff and shareholders, especially as this breach apparently started four years ago. Ninety-six percent of cyberattacks start with a phishing email and continue to badly impact consumers and the C Suite long after the attack. Marriott’s fast reporting showssome other recent cyberattack victims up in a bad light; they clearly had a plan in place for such a situation and executed on it.
In terms of consumer advice, consumers should never allow travel companies to consolidate different rewards or loyalty programs from airline and rental car companies, as this just broadens the consumer’s vulnerability footprint. It is a case of when, not if, consumers’ accounts are hacked – it will happen, so be prepared.”
Sherban Naum, Senior Vice President at Bromium:
“After a four year long-term-stay in the Starwood Hotel database, the hackers finally checked out, and with more than the complimentary bath robes. Laying dormant in systems is a common tactic for advanced cybercriminal groups and nation state actors, who will focus on staying hidden and taking time to exfiltrate data, obtain secrets and insert backdoors, ensuring long-term access. Often, hackers will gain a foothold through an unsuspecting users and spend time working their way through the network, escalating privileges in order to access a company’s crown jewels. The longer a hacker has access, the more damage they can do, so this is much more serious than a one-off breach, continuously putting customers at risk of targeted phishing attacks and card fraud. Attackers are growing smarter in leveraging the very systems enterprises depend on to exploit vulnerabilities. It appears the dependence on legacy detect-to-protect approaches has, yet again, failed. It’s incredible that hackers were able to gain access and persist unnoticed for so long, and that the breach seems to have been overlooked during the merging of Starwood and Marriott’s global networks. I’d be curious to know how much control the hackers had: Perhaps they were able to exploit the very systems Starwood depended on to scan and patch systems, knowing when to move or what to avoid. Of course, each day a potential adversary checks into a property or logs into their account.”
“Organisations need to be locking down high-value assets, such as customer data, and applying a zero trust approach to endpoints and networks by applying security right down to the application level. By abstracting and segmenting Access to high value applications and data, isolating the application in a hardware-enforced virtual environment, even if the network, server or end-user device is compromised, cybercriminals can’t see or access the data – so no information would have been accessed. Lessons need to be learnt here so that a catastrophic breach of this kind can be prevented.”
Robin Tombs, Co-Founder and CEO at Yoti:
“We have to trust that companies will protect our personal data, yet it can be hacked and stolen in the blink of an eye. News of the latest data breach, this time Marriott International, has impacted millions of people who will now have the worry and stress of what has happened to their precious personal information.
Big databases are a hot target for hackers; especially ones which contain sensitive data like passport information and payment details. It’s time companies put an end to big databases, and only asked for the necessary information from their customers. This would help strike a balance between protecting individuals’ confidentiality whilst ensuring companies have the details they need.
Individuals should also be able to secure their accounts with biometrics instead of passwords – this would offer greater protection of our online accounts and personal information.”
John Gunn, CMO at OneSpan:
The significance of the Marriott breach is not in the number of records that were compromised, that is relatively small. It’s impact on the victims is much greater than the numbers reveal. It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport. This may be an emerging trend with hacking organizations, to target large pools of passport data. Stolen passports sell for a magnitude more that stolen credit cards on the dark web.
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
The vast stores of personally identifiable data on the Dark Web continues to grow at historic rates, and fraudsters have rich resources with which to steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information. For example, the personal data obtained in one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches, and the Marriott breach only makes their task that much easier and more likely to succeed. Having the databases in the same place makes things even easier for the bad guys.
Cyber attacks such as Marriott’s will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also making sure all third party partners have equal cybersecurity measures in place.
Gary Roboff, Senior Advisor at Santa Fe Group:
“How could a breach like this continue for 4 years?
If encryption keys were compromised and payment data was in fact exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a “mass data dump exfiltration event” in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise.
While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence. In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly.”
Bimal Gandhi, Chief Executive Officer at Uniken:
“Events like this Marriott Starwood breach underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication, given the sheer proliferation of stolen and leaked PII now available on the Dark Web.
“Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well. Hotels, hospitality companies, banks and eCommerce entities are all moving to newer ways to enable customers authenticate themselves across channels, without requiring any PII.
“Customer-facing commerce and financial institutions seeking to thwart credential stuffing are increasingly seeking to migrate beyond PII authentication to more advanced methods that do not require the user to know, manufacture or receive and manually enter a verification factor, in order to eliminate the ability for bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network.
“Invisible multifactor authentication solutions that rely on cryptographic key based authentication combined with device, environmental and behavioral technologies provide just such a solution. By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks.”
Kevin Curran, Senior IEEE Member and Professor of Cybersecurity at Ulster University:
“This is not the largest data breach by any means although 500 million is no small number and potentially a very sensitive data breach. The sensitive data stolen in this breach can be used by criminals for identity theft where they could convince targeted individuals to give up vital, personal infomation, like a password or access to banking sites. The more convincing a phishing email is – the more likely someone is to reply to it.
The reason we are seeing so many data breaches this year is simply an indication of where we are in time. We are situated between a time where companies really face no penalties for poor storage and protection of data – apart from reputation loss – and a future world where organisations will be fined enormous sums for allowing data to leak. People are also in a semi-state of ignorance (or deliberate ignorance) of safe computing practices. A recent report stated that cybercrime damage is to hit $6 trillion annually by 2021. Cyber theft is simply becoming the fastest growing crime in the world. Gartner reports that this rising tide of cybercrime has pushed cybersecurity spending to more than $80 billion in 2016. A major problem is that there is a severe shortage of cybersecurity talent with unfilled cybersecurity jobs to reach 1.5 million by 2019.
In the wider context, according to the National Crime Agency Cyber Crime Assessment 2016 report, cybercrime accounted for 53 per cent of all crimes in 2015. This percentage is rising steadily each year. We can expect to see cybercrime continue to develop into a highly lucrative and well organised enterprise. Cyber criminals whether state sponsored or not are even beginning to devote funds to research and development as yet. Criminals are increasingly moving online because this is where the money is. The annual Mary Meekers state of the Internet report for 2017 reports that Network Breaches are increasingly caused by email spam/phishing. In fact spam has increased 350% in one year. The trend for ransomware is also showing worrying trends. Malwarebytes show increase from 17% in 2015 to 259% in 2016. Across the board we are seeing increases in attacks and breaches like Marriott will only make this problem worse.”
Ryan Wilk, VP at NuData Security:
“The hospitality sector has been hit hard this year with breaches at such hotels as the Prince, Radisson, and Intercontinental to name a few. Unfortunately, this breach was going on since 2014 which means that cyber hackers secured a treasure trove of personal information. This news needs to remind merchants and other companies transacting online that their systems are never entirely safe from breaches; these can happen at any time, and companies need to have their post-breach process ready. This plan includes the implementation of a stronger verification framework so they can still correctly authenticate their good users despite potentially stolen credentials. This sort of data exposure is why so many organisations – from the hospitality sector through to eCommerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics that identify customers by their online behaviour thus mitigating post-breach damage as hackers are not able to impersonate individual behavior.”
Bill Evans, Senior Director at One Identity:
“In yet another breach, Marriott’s Starwood Hotel reservation database was recently hacked exposing swathes of data on as many as 500,000,000 guests. While a breach of any information of even a single individual is bad, there are levels of severity regarding the types of personal information that is hacked. For example, Marriott states that around 327,000,000 guest had phone numbers and email address compromised. While this is a concern, compromising this type of information is not the end of the world. However, Marriott has also stated that credit card information and even passport information may have been compromised. This is a much more challenging situation for the company and its customers.
Although it might be a nuisance, affected customers should contact their credit card company to disable their compromised card, create a new account and order a replacement. By now, I am sure we have all had to do this. In addition, those people will need to begin (or continue) monitoring their credit history. The exposal of passport information is another level. It’s not a simple process to get a new passport. We will have to see what Marriott’s guidance is for this situation.”
Simon McCalla, CTO at Nominet:
“The Marriott hack is the latest in a long line of hacks that would concern consumers across the world. But perhaps the most concerning part of this data breach is that, during their investigation into the cause, they found that there had been unauthorised access to the Starwood network since 2014.
“The company received an internal security alert in September of this year – four years after the initial breach. This paints a grim picture of the security system they had in place and how susceptible they were to threats from outside the business.
“Ensuring threat monitoring and security systems are able to catch threats when they first interact with your critical systems is vital. Proactive defence is better than retrospective and with 500m customers affected by this breach, Starwood Groups are finding this out the hard way.”
Irra Ariella Khi, CEO and Co-founder at VChain:
“Yet again, we see huge international corporations making the same mistake of storing substantial amounts of highly personalised, customer data in centralised locations. These organisations are trusted with personally identifiable customer data, which should never be stored on these vulnerable systems of ‘confidential’ centralised data storage. These systems are private by assumption, but are actually alarmingly open – particularly to today’s increasingly receptive hacker.
“With GDPR now in play as a standard that we all expect, it’s essential that consumers – as well as regulators – demand for better practices when it comes to data protection. It’s imperative that cyber security and data management move towards privacy by design: using systems that are built from the outset to be secure, with privacy by design architecture built into the core of any sensitive data product.
“The “if it ain’t broke, don’t fix it” approach has not only proven to be unsustainable, but ultimately ends up affecting share prices. In today’s modern world, where technologies are increasingly available to inhibit exactly this kind of thing from happening in the first place, these corporations are running out of excuses.”
Ed Macnair, CEO at CensorNet :
“If 500 million individual guests were indeed impacted by this breach, it will make it one of the most significant data security incidents that we have seen to date. While it is still yet to be determined exactly what information has been accessed, it seems likely that there is a huge amount of data involved – including payment details – and anyone who has stayed with the hotel chain in recent years has good reason to be concerned.
“Worryingly, it appears that the information was accessed in 2014, leaving a lot of individuals vulnerable for years. Reports suggest that, for more than 300 million people, the information accessed includes name, address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences – that is a huge amount of information about individuals that, in the wrong hands, could do a lot of damage, from identity theft through to brute force attacks on other online accounts.
“There is likely to be more information about exactly how this breach happened emerging over the next few weeks but, in the meantime, anyone that has been effected by this breach – or thinks they may have been – would be well advised to sign up with a credit checking service to make sure their details haven’t been used untowardly. It would also be sensible to change passwords for other accounts that used the same log-in details.”
James Hadley, CEO at Immersive Labs:
“The fact that 500 million customers personal details – including payment information and addresses – has been taken is disturbing. However, what’s more concerning is that this has been happening since 2014. This clearly demonstrates that something is off in the company’s approach to security and urgently needs to be re-assessed.
“This is the most significant breach we’ve seen this year and, if the number of people involved is correct, may well be one of the biggest hacks ever to occur and, while Marriott has a lot of questions to answer, it’s not alone in struggling to keep up with the massive barrage of threats everyone is facing. Cyber criminals are constrained by internal red tape and laws, so can be as creative as they want in order to get their pay day. Security teams don’t have the same luxury.
“In order to have any hope of playing the criminals at their own game, companies need to be more agile in their approach to security – making sure their employees have exactly the right skills to deal with what’s happening in the real world. Scenarios like this are all too common and something needs to change. That starts with making sure people have the capabilities to identify and rectify situations like this.”
Trevor Reschke, Threat Intelligence Officer, Trusted Knight:
“This is a data breach on a scale that blows the rest out of the water – with over 500 million people affected. It is certainly the largest breach recorded this year, and one of the largest breaches in history. The sheer number of customers affected is staggering. Stolen data includes phone numbers, email addresses, passport numbers – and even payment card numbers and expiration dates. It’s highly likely that the details of these 500 million people are being sold online and anyone who thinks they may have been caught up will really need to keep a close eye on their personal accounts. If you’ve stayed at a Starwood or Marriott property in the past few years, and have experienced some type of fraud, whether compromised credit card information or identity theft, this data breach may have been leveraged to enhance the criminal’s chances of success. Anyone impacted should make sure that any accounts using the same log-in details are changed, and also sign up with credit checking agencies to double check nothing untoward has happened.
“What is most alarming about this hack – after the almost incomprehensible number of people affected – is that in its investigation into the breach, Marriott discovered that there had been unauthorised access to its network since 2014. We have been shown again and again that organisations do not take the security of their customer data seriously – and such unauthorised access going unnoticed for four years is a prime example of this. We don’t know yet how this breach happened, but whatever the cause, it’s simply unacceptable that it went undetected for so long.”
Joseph Carson, Chief Security Scientist at Thycotic:
“What is shocking about this data breach is that the cybercriminals potentially got away with both the encrypted data as well as the methods to decrypt the data which appears that Marriott have not practiced adequate cybersecurity protection for their customers personal and sensitive information.
The major problem of such data breaches in the past is that those companies who have been entrusted to protect their customer data have only offered up to one year of identity theft protection. But, many of the identity information that is stolen typically can last between 5-10 years such as drivers licenses and passports. So while victims may get some protection, they are at serious risk for years unless they actively replace compromised identity documents which is done at a cost. Companies who fail to protect their customers should be at least responsible for the cost of replacing compromised information and documents rather than deflecting responsibility and accountability.
This latest major data breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU General Data Protection Regulation which imposes financial penalties of 20m Euros or 4% of annual turnover. If you are a customer of the latest Marriott data breach then it is important to know what data is at risk and consider taking extra precautions as well as changing your Marriott account password.”
Franklyn Jones, CMO at Cequence:
“Unfortunately, we can also expect to see a long tail effect from this breach. As this data finds its way to the dark web, these stolen credentials will be acquired by other bad actors. They, in turn, will orchestrate high volume bot attacks to see if the stolen credentials can also provide access to web, mobile, and API application services of other organizations.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.