Marriott International has announced details of a cyberattack which compromised the data of millions of customers in its Starwood guest reservation database.
The company said an investigation had determined there was unauthorised access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.
The company said that on September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Leading security experts were brought in to help determine what happened.
Marriott learned during the investigation that there had been unauthorised access to the Starwood network since 2014. The company recently discovered that an unauthorised party had copied and encrypted information and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
Marriott reported this incident to law enforcement and continues to support their investigation.
In a statement, the company said: “Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts.
“Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call centre. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Industry experts respond to the breach
Joseph Carson, Chief Security Scientist at Thycotic
What is shocking about this data breach is that the cybercriminals potentially got away with both the encrypted data as well as the methods to decrypt the data which appears that Marriott have not practiced adequate cybersecurity protection for their customers personal and sensitive information.
The major problem of such data breaches in the past is that those companies who have been entrusted to protect their customer data have only offered up to one year of identity theft protection. But, many of the identity information that is stolen typically can last between five to 10 years such as drivers licenses and passports. So while victims may get some protection, they are at serious risk for years unless they actively replace compromised identity documents which is done at a cost. Companies who fail to protect their customers should be at least responsible for the cost of replacing compromised information and documents rather than deflecting responsibility and accountability.
This latest major data breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU General Data Protection Regulation which imposes financial penalties of 20m Euros or 4% of annual turnover. If you are a customer of the latest Marriott data breach then it is important to know what data is at risk and consider taking extra precautions as well as changing your Marriott account password.
Jake Olcott, VP of Strategic Partnerships at BitSight
This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber -risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a ‘snapshot in time’ view.
Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.
Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge
This looks like one more tremendous data breach related to insecure web applications. Many large companies still do not even have an up-to-date inventory of their external applications, let alone conduct continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. Obviously, one day such an approach will fail.
Regulations, such as GDPR, do not necessary help. In the past two years many companies were over-concerned to comply with GDPR on paper, ignoring practical security requirements due to limited budget and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cybersecurity and privacy.
Legal ramifications for Marriott and its subsidiaries can be tremendous, from harsh financial penalties from authorities in many countries to individual and class-action lawsuits from the victims.
Aatish Pattni, Regional Director for UK and Ireland for cybersecurity vendor, Link11
The attack stole highly sensitive personally-identifiable information including names, passport numbers, dates of birth, email and physical addresses, and some payment card details, which makes it a potential goldmine for hackers.
This follows the trend we have seen in the attacks against the aviation industry this year: these, and the related travel and hospitality sectors process and store huge amounts of high-value personal information such as passport numbers, credit-card details and more.
Although it’s not certain that the stolen data has been used as yet, people who think they may be affected should be wary of any email communications they receive relating to the breach and should not share any other sensitive details by email. Scammers often prey on peoples’ concerns to try and harvest more data so that they can use stolen payment card details or commit other types of fraud.
John Shier, Senior Security Advisor, Sophos
The potential fallout from the Marriott’s Starwood data breach should be alarming to anyone who has stayed at a Starwood property in the last four years. Not only are guests at risk for opportunistic phishing attacks, but targeted phishing emails are almost certain, as well as phone scams and potential financial fraud.
Unlike previous breaches, this attack also included passport numbers for some individuals who are now at increased risk for identity theft. At this point, however, it’s unclear what level of exposure each individual victim has been subject to.
Until then, all potential victims should assume the worst and take all necessary precautions to protect themselves from all manner of scams.
Sophos recommends these tips:
- Be on alert for spearphishing: Marriott has said that personal details associated with the Starwood Preferred Guests accounts have been compromised, and personal email addresses are vulnerable. This creates the perfect scenario for cybercriminals to actually spearphish consumers because they have this type of detailed information
- Be on alert for opportunistic phishing: Marriott has said it will email Starwood Preferred Guests those who may be impacted. Do not click on links in emails or other communication that seem to have come from Marriott or Starwood hotels. It’s possible that criminals will try to take advantage of this by sending malicious tweets or phishing emails that look like they’ve come from the company. Hover over URLs and links to see the address before you click. Look at the email address to see where it is from
- Monitor your financial accounts: Reports indicate the attackers may have access to some members’ encrypted credit card information, but it’s not clear as of yet if this information can be decrypted; in general, monitor your credit card for suspicious activity. As a safety precaution, change the password to your online credit card account. If you use the same password for similar financial management websites, immediately change the password on those websites. As a best security practice, always choose a different, strong password for each sensitive account
- Change passwords, as a precaution: It’s not clear as of yet if the attackers have access to Starwood Preferred Guest account passwords, but as a safety precaution, consumers can change their password. If this password is also used for any financial accounts, change those immediately. Monitor your Starwood Preferred Guest account for suspicious activity
- Don’t Google ‘Web Watcher’: Marriott is offering victims in the USA, UK and Canada a free, one year subscription to something it calls WebWatcher, which it describes as a service that monitors ‘Internet sites where personal information is shared’. Don’t Google it. If you Google “WebWatcher” you won’t find the monitoring service, you’ll find lots of links to spyware of the same name. Don’t sign up for that. Do follow the links to country-specific versions of the official breach site. You cannot sign up for monitoring from the main breach page, you have to go to the all-but-identical versions of the page for the US, UK or Canada
For additional tips and information, please reference the Sophos’ Naked Security article: Huge Marriott breach puts 500 million victims at risk