Marriott International said last week that up to 500 million guests’ information may have been accessed as part of a data breach of its Starwood guest reservation database. The world’s largest hotel chain said it determined on Nov. 19 that an “unauthorized party” had accessed the database as early as 2014. For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Adam Brown, Manager of Security Solutions at Synopsys:
In line with protocol, the breacg has been reported to the Information Commissioners office – this would need to have been no later than 72 hours after their data protection officer was aware of the breach being real. Of the half a billion data subjects that have been breached, many will be EU citizens which is why the ICO has been alerted under GDPR rules. Of the 327 million for whom personal data has been leaked, that data is stated as encrypted. However, this isn’t offering any protection since the means to decrypt have also been obtained. This could either be due to unsafe key storage or use of inappropriate encryption mechanisms.
To avoid such breaches going undetected firms should implement sufficient logging and monitoring of their data as per OWASP’s new #10 of the OWASP Top 10. To avoid such breaches in the first place firms should implement a software security initiative, a good observation of what mature firms do in this regard can be seen in the freely published BSIMM study – now in its 10th year: www.bsimm.com”
Satya Gupta, CTO and Co-founder at Virsec:
Rich Campagna, CMO at Bitglass:
It’s concerning when it takes an organization months, or even years, to recognize that a breach has occurred – it highlights the inadequacy of reactive security solutions. To avoid these kinds of events, organizations must adopt flexible security platforms that proactively detect and respond to new threats as they arise. Ensuring proactive security and remediating threats before hackers have a chance to exploit them is key to securing data.”
Mark Weiner, CMO at Balbix:
Stephan Chenette, Co-Founder and CTO at AttackIQ:
Data breaches are expensive for everyone involved. Marriott will feel the burden of this breach through fines under GDPR and damage to their reputation, potentially causing customers to turn to their competitors.”
Dan Dearing, senior director of Product Marketing at Pulse Secure:
This type of “lying in wait” threat is driving many IT organizations to rethink how they secure their network to combat hackers who are sophisticated and patient to wait for the big payoff. The new security buzzword that describes how companies can defeat this type of threat is “zero-trust.” Essentially, IT cannot trust anything or anyone inside or outside of their network. Instead, they must deploy security tools that help enable them to always verify who the user is, whether the user is authorized to access the desired application or data, and finally if the user’s laptop or mobile device meets the security standards of the company. Only if all three conditions are met is the user allowed on the network.”
Brian Vecci, Technical Evangelist at Varonis:
Like the Equifax breach, hackers made off with sensitive information that can’t be changed: names, passport numbers, dates of birth, and more. Now 500 million people are going to have to watch their credit reports and may likely be inconvenienced for the rest of their lives. Many will likely fall victim to spearphishing scams in the months and years to come due to the highly personalized nature of the stolen information.
It’s crazy to think that in this day and age of massive breaches, major brands are spending millions on advertising and customer loyalty programs but failing to protect what matters most: the person data of their most dedicated customers. It’s no wonder why customers continue to grow distrustful and demand regulations such as the GDPR and, now in the U.S., the California Consumer Privacy Act.”
Colin Bastable, CEO at Lucy Security:
In terms of consumer advice, consumers should never allow travel companies to consolidate different rewards or loyalty programs from airline and rental car companies, as this just broadens the consumer’s vulnerability footprint. It is a case of when, not if, consumers’ accounts are hacked – it will happen, so be prepared.”
Sherban Naum, Senior Vice President at Bromium:
“Organisations need to be locking down high-value assets, such as customer data, and applying a zero trust approach to endpoints and networks by applying security right down to the application level. By abstracting and segmenting Access to high value applications and data, isolating the application in a hardware-enforced virtual environment, even if the network, server or end-user device is compromised, cybercriminals can’t see or access the data – so no information would have been accessed. Lessons need to be learnt here so that a catastrophic breach of this kind can be prevented.”
Robin Tombs, Co-Founder and CEO at Yoti:
Big databases are a hot target for hackers; especially ones which contain sensitive data like passport information and payment details. It’s time companies put an end to big databases, and only asked for the necessary information from their customers. This would help strike a balance between protecting individuals’ confidentiality whilst ensuring companies have the details they need.
Individuals should also be able to secure their accounts with biometrics instead of passwords – this would offer greater protection of our online accounts and personal information.”
John Gunn, CMO at OneSpan:
Michael Magrath, Director, Global Regulations & Standards at OneSpan:
Cyber attacks such as Marriott’s will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also making sure all third party partners have equal cybersecurity measures in place.
Gary Roboff, Senior Advisor at Santa Fe Group:
If encryption keys were compromised and payment data was in fact exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a “mass data dump exfiltration event” in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise.
While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence. In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly.”
Bimal Gandhi, Chief Executive Officer at Uniken:
“Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well. Hotels, hospitality companies, banks and eCommerce entities are all moving to newer ways to enable customers authenticate themselves across channels, without requiring any PII.
“Customer-facing commerce and financial institutions seeking to thwart credential stuffing are increasingly seeking to migrate beyond PII authentication to more advanced methods that do not require the user to know, manufacture or receive and manually enter a verification factor, in order to eliminate the ability for bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network.
“Invisible multifactor authentication solutions that rely on cryptographic key based authentication combined with device, environmental and behavioral technologies provide just such a solution. By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks.”
Kevin Curran, Senior IEEE Member and Professor of Cybersecurity at Ulster University:
The reason we are seeing so many data breaches this year is simply an indication of where we are in time. We are situated between a time where companies really face no penalties for poor storage and protection of data – apart from reputation loss – and a future world where organisations will be fined enormous sums for allowing data to leak. People are also in a semi-state of ignorance (or deliberate ignorance) of safe computing practices. A recent report stated that cybercrime damage is to hit $6 trillion annually by 2021. Cyber theft is simply becoming the fastest growing crime in the world. Gartner reports that this rising tide of cybercrime has pushed cybersecurity spending to more than $80 billion in 2016. A major problem is that there is a severe shortage of cybersecurity talent with unfilled cybersecurity jobs to reach 1.5 million by 2019.
In the wider context, according to the National Crime Agency Cyber Crime Assessment 2016 report, cybercrime accounted for 53 per cent of all crimes in 2015. This percentage is rising steadily each year. We can expect to see cybercrime continue to develop into a highly lucrative and well organised enterprise. Cyber criminals whether state sponsored or not are even beginning to devote funds to research and development as yet. Criminals are increasingly moving online because this is where the money is. The annual Mary Meekers state of the Internet report for 2017 reports that Network Breaches are increasingly caused by email spam/phishing. In fact spam has increased 350% in one year. The trend for ransomware is also showing worrying trends. Malwarebytes show increase from 17% in 2015 to 259% in 2016. Across the board we are seeing increases in attacks and breaches like Marriott will only make this problem worse.”
Ryan Wilk, VP at NuData Security:
Bill Evans, Senior Director at One Identity:
Although it might be a nuisance, affected customers should contact their credit card company to disable their compromised card, create a new account and order a replacement. By now, I am sure we have all had to do this. In addition, those people will need to begin (or continue) monitoring their credit history. The exposal of passport information is another level. It’s not a simple process to get a new passport. We will have to see what Marriott’s guidance is for this situation.”
Simon McCalla, CTO at Nominet:
“The company received an internal security alert in September of this year – four years after the initial breach. This paints a grim picture of the security system they had in place and how susceptible they were to threats from outside the business.
“Ensuring threat monitoring and security systems are able to catch threats when they first interact with your critical systems is vital. Proactive defence is better than retrospective and with 500m customers affected by this breach, Starwood Groups are finding this out the hard way.”
Irra Ariella Khi, CEO and Co-founder at VChain:
“With GDPR now in play as a standard that we all expect, it’s essential that consumers – as well as regulators – demand for better practices when it comes to data protection. It’s imperative that cyber security and data management move towards privacy by design: using systems that are built from the outset to be secure, with privacy by design architecture built into the core of any sensitive data product.
“The “if it ain’t broke, don’t fix it” approach has not only proven to be unsustainable, but ultimately ends up affecting share prices. In today’s modern world, where technologies are increasingly available to inhibit exactly this kind of thing from happening in the first place, these corporations are running out of excuses.”
Ed Macnair, CEO at CensorNet :
“Worryingly, it appears that the information was accessed in 2014, leaving a lot of individuals vulnerable for years. Reports suggest that, for more than 300 million people, the information accessed includes name, address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences – that is a huge amount of information about individuals that, in the wrong hands, could do a lot of damage, from identity theft through to brute force attacks on other online accounts.
“There is likely to be more information about exactly how this breach happened emerging over the next few weeks but, in the meantime, anyone that has been effected by this breach – or thinks they may have been – would be well advised to sign up with a credit checking service to make sure their details haven’t been used untowardly. It would also be sensible to change passwords for other accounts that used the same log-in details.”
James Hadley, CEO at Immersive Labs:
“This is the most significant breach we’ve seen this year and, if the number of people involved is correct, may well be one of the biggest hacks ever to occur and, while Marriott has a lot of questions to answer, it’s not alone in struggling to keep up with the massive barrage of threats everyone is facing. Cyber criminals are constrained by internal red tape and laws, so can be as creative as they want in order to get their pay day. Security teams don’t have the same luxury.
“In order to have any hope of playing the criminals at their own game, companies need to be more agile in their approach to security – making sure their employees have exactly the right skills to deal with what’s happening in the real world. Scenarios like this are all too common and something needs to change. That starts with making sure people have the capabilities to identify and rectify situations like this.”
Trevor Reschke, Threat Intelligence Officer, Trusted Knight:
“What is most alarming about this hack – after the almost incomprehensible number of people affected – is that in its investigation into the breach, Marriott discovered that there had been unauthorised access to its network since 2014. We have been shown again and again that organisations do not take the security of their customer data seriously – and such unauthorised access going unnoticed for four years is a prime example of this. We don’t know yet how this breach happened, but whatever the cause, it’s simply unacceptable that it went undetected for so long.”
Joseph Carson, Chief Security Scientist at Thycotic:
“What is shocking about this data breach is that the cybercriminals potentially got away with both the encrypted data as well as the methods to decrypt the data which appears that Marriott have not practiced adequate cybersecurity protection for their customers personal and sensitive information.
The major problem of such data breaches in the past is that those companies who have been entrusted to protect their customer data have only offered up to one year of identity theft protection. But, many of the identity information that is stolen typically can last between 5-10 years such as drivers licenses and passports. So while victims may get some protection, they are at serious risk for years unless they actively replace compromised identity documents which is done at a cost. Companies who fail to protect their customers should be at least responsible for the cost of replacing compromised information and documents rather than deflecting responsibility and accountability.
This latest major data breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU General Data Protection Regulation which imposes financial penalties of 20m Euros or 4% of annual turnover. If you are a customer of the latest Marriott data breach then it is important to know what data is at risk and consider taking extra precautions as well as changing your Marriott account password.”
Franklyn Jones, CMO at Cequence: