Question

Marriott Hotel data breach, explain with a report on it that answers the following question; When and where was the breach? What was the cause of the breach (be specific)? Who was affected? How severe were the effects of the data breach on the individuals affected? Were there other potential effects (e.g. identity theft) that haven't been documented yet? How did the company respond to the breach? Was there anything the company failed to do that would have prevented it? Did the company undertake any actions to prevent this (or similar things) from happening again? Was there a public outcry over the company's response to the breach? How did the company address the public's reaction? What consequences did the company or individuals at the company suffer (firings, legal liabilities, etc.)? What recommendations would you make to prevent a similar breach from occurring?.

Answer 1

CASE STUDY:MARRIOTT DATA BREACH

On November 30, 2018, hospitality giant Marriott International announced that an “unauthorized party” gained access to the personal information of 500 million Starwood customers, joining the ever-growing list of massive breaches that seem to be occurring more and more frequently.

Marriott announced that, sometime in early September 2018, they received an alert from an internal security tool indicating that an attempt had been made by an unknown entity to access the Starwood guest reservation database. Shortly thereafter, Marriott engaged outside cyber security experts to aid in determining what exactly happened. It was discovered that there had been unauthorized access to the Starwood network as early as 2014. It was then discovered that this party had copied and encrypted customer information and acted towards removing it from the Starwood database.

Marriott advised that the data exposed included passwords, email addresses, departure and arrival dates and well as passport information.

Background on Marriott Breach

While Marriott says they are looking into how the breach took place, the question on everyone’s minds is why it was only detected now when it’s evident that it began over four years prior. With the extensive resources Marriott has available to them, they should have been able to identify and isolate the intrusion risk in 2014. Unfortunately, it was also around this point that Marriott had announced is acquisition of the Starwood Hotels and Resorts Worldwide, and that’s where the issue may have begun.

Not two months after the announcement of the merger, Starwood reported that it had suffered a large-scale credit card hack. Shortly thereafter, the company’s home website was the victim of a SQL injection attack and offers to hack the site were being made across the dark web. It is for this reason that experts are saying Marriott should have known, at that time, that they were taking a considerable risk in acquiring Starwood.

Risk Model Estimates

Catastrophe risk modelling firm, AIR Worldwide, estimates that the direct cyber incident losses for the breach will be in the neighborhood of $200 million to $600 million. These estimates are based on both the quantity of consumers affected, as well as the type of information involved.

AIR Worldwide mentions that the large ($200m-$600m) range of loss estimates reflects the relative uncertainty about the data that was stolen, such as duplicate records and additional uncertainty relating to whether or not encryption keys had been stolen along with encrypted credit card data.

It should be noted that loss estimates are based solely on an analysis using AIR’s “Cyber Risk Model.” As a result, they are subject to uncertainty and not based on any actual policy or loss data reported by Marriott. It’s worth noting that some of the financial impact to Marriott may be partially mitigated by cyber insurance and liability insurance coverage they supposedly have; this is not accounted for in the loss estimates.

Government Regulation

As part of the EU’s GDPR, and Canada’s PIPEDA, the hospitality industry is under pressure to comply as the range and nature of personal data held in any guest database poses a particularly high risk if found in the wrong hands.

“This is much more than a consumer data breach. When you think of this from an intelligence gathering standpoint, it is illuminating the patterns of life of global political and business leaders, including who they traveled with, when and where. That is incredibly efficient reconnaissance gathering and elevates this breach to a national security problem.”

Michael Daly – Cybersecurity Chief Technology Officer, Raytheon Intelligence

Beyond regulatory examination, Marriott is now facing multiple class action lawsuits as a result of the breach.

Application Security Testing

SQL Injection vulnerabilities are not a new type of vulnerability and have been center stage for many data breaches. These vulnerabilities can be discovered through an application securityassessment performed by an experienced team of ethical hackers. Application Security Testing evaluates various threats and helps detect vulnerabilities in your applications before a data breach. Given the significant cost of a data breach, proactive testing is essential to reduce risk.

At Packetlabs, our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often, firms will try to commoditize security testing by heavily depending on automated testing and trivial VA scans with little benefit to the client. Our methodology only begins with automated testing. After that, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.

We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.

How did it happen and what was the impact?

Many of the details remain undisclosed, but this cyberattack is a cautionary tale about IT security, mergers and acquisitions, and Chinese espionage.

In late 2018, the Marriott hotel chain announced that one of its reservation systems had been compromised, with hundreds of millions of customer records, including credit card and passport numbers, being exfiltrated by the attackers. While Marriott has not disclosed the full timeline or technical details of the assault, what we do know tells us quite a bit about the current threat landscape — and offers lessons for other enterprises on how to protect themselves.

We answer 10 frequently asked questions.

When was the Marriott breach?

On September 8, 2018, an internal security tool flagged as suspicious an attempt to access the internal guest reservation database for Marriott's Starwood brands, which include the Westin, Sheraton, St. Regis, and W hotels. This prompted an internal investigation that determined, through a forensicsprocess that Marriott has not discussed in detail, that the Starwood network had been compromised sometime in 2014 — back when Starwood had been a separate company. Marriott purchased Starwood in 2016, but nearly two years later, the former Starwood hotels hadn't been migrated to Marriott's own reservation system and were still using IT infrastructure inherited from Starwood, an important factor that we'll revisit in more detail later.

[ How much does a data breach cost?. ]

In their investigation, Marriott found data that the attackers had encrypted and attempted (probably successfully) to remove from the Starwood systems. By November, they had managed to decrypt that data and discovered that it included information from up to 500 million guest records, though those undoubtedly include duplicate records or multiple records pertaining to individual guests. Many of the records include extremely sensitive information like credit card and passport numbers. Now aware of the severity of the breach, Marriott released a statement on November 30, 2018, outlining the basics we've described here.

What caused the Marriott data breach?

Marriott has not made many of the details of the attack public, so we can't say for certain what vulnerability or mistake was the direct cause of the breach. Marriott CEO Arne Sorenson appeared before the U.S. Senate to talk about the attack, and the transcript of his testimony provides a window into what we do know.

As we noted, Marriott first became aware that they'd been hacked when a security tool flagged an unusual database query. (The tool was actually monitored by Accenture, who had been running IT and infosecurity for Starwood before the merger and continued to do for the legacy network afterwards.) The database query was made by a user with administrator privileges, but analysis quickly revealed that the person to whom that account was assigned was not the one who made the query; someone else had managed to take control of account.

Investigators began scouring the system for clues, and discovered a Remote Access Trojan (RAT) along with MimiKatz, a tool for sniffing out username/password combos in system memory. Together, these two tools could have given the attackers control of the administrator account. It's not clear how the RAT was placed onto the Starwood server, but such Trojans are often downloaded from phishing emails, and it's reasonable to guess that might've been the case here.

But lurking behind these specific attack vectors lay a series of cultural and business factors that we might label the root cause of the breach. What stands out here is not the attack's success in breaching Starwood's systems — most security experts today believe it's almost impossible to keep all attackers at bay all the time — but rather that the attack went undetected for four years. Starwood did not have the best security culture before its acquisition by Marriott; the Wall Street Journal reported that Starwood employees perennially found the reservation system difficult to secure, and in fact a different attacker breached the system in 2015 and wasn't detected for eight months. Then, after Marriott acquired Starwood in September 2016, most of Starwood's corporate staff, including those managing information technology and security, were laid off. That sort of payroll cutting is exactly what produces the "synergies" and higher profits that drive these sorts of mergers in the first place, of course, but Marriott was nowhere close to ready to book guests at its thousands of newly acquired hotels with its own in-house reservation system, and so Starwood's old system limped on, zombie-like, infected with malware, breached by hackers, and without much by way of continuity of care, for another two years before the breach was finally discovered.

What was the impact of the Marriott breach?

At one level, the Marriott breach was potentially catastrophic: hundreds of millions of people had their passport and credit card numbers stolen, which could have disastrous personal impacts. The credit card number aspects are particularly worrying, and were made possible by yet another security failing on Marriott's part: while the credit card numbers were stored in encrypted form, the encryption keys were stored on the same server, and were also apparently scooped up in the breach. As for the passport numbers, while some were encrypted, the majority were simply saved in the clear.

But the breach in fact does not seem to have had the damaging impact on Starwood customers that it could have. That may seem strange, and to understand the reason for it, we need to answer a couple more questions: who breached Marriott, and why.

Who hacked Marriott and why?

Mass theft of consumer data is often associated with cybercriminals aiming to perform identity theft or make use of stolen credit card numbers. But in December 2018, articles in the New York Times and the Washington Post, citing unnamed sources in the U.S. government, pointed a finger in an entirely different direction: at hackers employed by Chinese intelligence services.

The Post's and Times's sources had access to more data about the hack than has been made public, and say that the code and attack patterns used match up with techniques employed by state-sponsored Chinese hackers; the attackers used a cloud-hosting space frequently used by Chinese hackers, for instance. (The involvement of U.S. intelligence service in the investigation and the sensitive nature of the attack probably explains why not much by way of technical details has been released.) Another clue that this breach is part of a government attack rather than mere cybercriminals is the fact that none of those millions of valuable records have ended up for sale on the dark web; this wasn't a mere plundering raid.

What would the motivation for the attack be, then? The government sources speculate that it was part of a broader Chinese effort to acquire massive amounts of data on American government employees and intelligence officers; Marriott is the top hotel provider for the U.S. government and military. The stolen passport numbers in particular could be used to track movements around the world. The breach of the Office of Personnel Management's systems, which similarly resulted in millions of individuals having their data stolen but none of that data ending up on the dark web or being used for fraud, was probably part of the same campaign. The larger goal is to create a data lake of information on American government employees and agents that big data techniques can be used to analyze.

Somewhat suspiciously in retrospect, Marriott had to fight off a bid from Anbang, a Chinese company, when it acquired Starwood. However, when all that played out in 2016, the Chinese hackers had already breached Starwood's systems, so it may have been a coincidence.

In February of 2020, the United States Department of Justice formally charged four members of the Chinese military with the 2017 attack on Equifax that netted personally identifying information on millions of people; in the announcement of the indictment, the Equifax attack was explicitly linked to the Marriott and OPM breaches as part of the same larger operation. This was an extremely rare move — the U.S. rarely files criminal charges against foreign intelligence officers in order to avoid retaliation against American operatives — that underscored how seriously the U.S. government took the attack.

How did Marriott respond to the breach?

Perhaps because there seems to be no immediate threat of the stolen data being used for conventional fraud, Marriott has not gone out of its way to compensate any of its customers whose data was stolen. The New York Times quotes a Marriott spokesperson as saying the company would pay the replacement cost for a passport with a new number or cover credit card expenses "if fraud has taken place." While the potential damage from personal data now stored with Chinese intelligence is in theory profound, it's difficult to quantify, especially for individuals.

Is there a Marriott data breach class action lawsuit?

Of course, that's all cold comfort if you're one of the individuals affected, and in fact Marriott and Starwood customers aren't taking the matter lying down. Multiple class action lawsuits have already been filed, and the failure of Marriott to perform due diligence on Starwood's information security (or lack thereof) has been specifically singled out in the court documents from the plaintiffs. Accenture, the consulting company to whom Starwood (and subsequently Marriott) had outsourced much of its day-to-day IT operations, is also being sued as part of the same lawsuit.

Still, don't count on a Marriott data breach settlement delivering a big payday. Consumer Reports has some details on which customers will automatically be rolled into the class action and how you can opt out; they predict that any compensation to individuals will be modest.

What did the Marriott data breach cost?

That doesn't mean the company's getting away scot free, however. As of March 2019, the company had incurred $28 million in expenses related to breach — and yet that only lowered the company's bottom line by $3 million. By May, the company had cut its losses to a mere $1 million. How? Cyberinsurance, which covered much of the initial costs associated with the crisis. Insurance against cyberattacks is a relatively new offering, but it seems to have paid off for Marriott.

But those initial costs are just that — the beginning. ZDNet estimated that between direct costs and indirect losses caused by customers shying away from the company in the future, Marriott could ultimately see billions of dollars in lost revenue as a result of the breach.

Has Marriott been fined for the data breach?

And indeed, in July of 2019 a much harsher blow landed on the company. The UK's Information Commissioner's Office (ICO) levied a fine of £99 million — more than $120 million — for violating British citizens' privacy rights under the GDPR. (The GDPR is an EU law, but still applies to Britain as Brexit has yet to go through.) Again, the ICO specifically cited Marriott's failure to do due diligence on Starwood's IT infrastructure as an explanation as to why Marriott was being punished for Starwood's mistakes. The massive fine may only be the beginning, as other jurisdictions could also look to punish the company for its lapses.

Marriott data breach case study: What can you learn from Marriott's mistakes?

We may never know all the details behind this breach, but just from what we've discussed here, a lot of important things should have come into focus for you:

• Starwood and Marriott were guilty of basic security failings: Lack of defense in depth that allowed attackers to stay in the system for years after breaching it, for instance, and failure to keep encrypted data and the keys used to encrypt it separate. Marriott failed to follow the most important cybersecurity rule: assume you are compromised and act accordingly.
• The bumpy transition associated with the Marriott-Starwood merger — the firing of Starwood's IT staff, and the long period during which Starwood's legacy systems were maintained in limbo — exacerbated the problem. The big UK fine is a hint that regulators will be holding post-merger corporations liable for these kinds of issues.
• Travel data is rich in information that can offer key insights into the lifestyles, tastes, and relationships of individuals, but the travel industry is far behind sectors like banking when it comes to cybersecurity and needs to catch up now.
• Finally, the hack showed that even private individuals can become collateral damage in the spy vs. spy world of government espionage.

What is the Marriott data breach scam?

One last note on this subject: a common scam in the aftermath of big breaches like this comes in the form of phishing emails claiming to be from the affected company, asking you to reset your password (and in the process tricking you into handing over your login credentials). Be extra vigilant and on the lookout for scams like these. Marriott didn't help things by their decision to put material related to the breach.

If your information was exposed, take advantage of the free monitoring service, and consider taking these additional steps:

• Check your credit reports from Equifax, Experian, and TransUnion — for free — by visiting annualcreditreport.com. Accounts or activity that you don’t recognize could signal identity theft. Visit IdentityTheft.gov to find out what to do.

• Review your payment card statements carefully. Look for credit or debit card charges you don’t recognize. If you find fraudulent charges, contact your credit card company or bank right away, report the fraud, and request a new payment card number.

• Place a fraud alert on your credit files. A fraud alert warns creditors that you may be an identity theft victim and that they should verify that anyone seeking credit in your name really is you. A fraud alert is free and lasts a year.

• Consider placing a free credit freeze on your credit reports. A credit freeze makes it harder for someone to open a new account in your name. Keep in mind that it won’t stop a thief from making charges to your existing accounts.