The massive data breach of the Starwood guest reservation database disclosed by Marriott International on Friday is another reminder how important it is for companies to assume that they will eventually be breached.
“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States,” the company announced on Friday. “Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”
The hackers successfully copied and encrypted data. They were apparently in the process of removing it when the attack was discovered.
Who was breached in the Marriott hack?
The company reports that the affected database includes over 500 million customers. For 327 million, the “information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” Customer financial data was encrypted but the company is not sure if the criminals extracted the key.
Marriott, the largest provider of hotel rooms in the world, completed its acquisition of Starwood Hotels & Resorts Worldwide in 2016. Starwood reported its own credit card breach that targeted 50 of its properties in 2015.
Brands affected by the hack include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels, and Starwood timeshare properties.
In addition to apologies, Marriot is offering affected customers a free year of online data monitoring.
Merging companies often leaves systems exposed
“This is a common trend where it’s usually not the main company that is targeted but rather attackers aim to compromise the more softer underbelly of the organization which are usually IT service providers, contractors and other entities with a high number of interactions with the organization,” Tom Van de Wiele, Principal Security Consultant at F-Secure, says. “Interactions mean a lot of moving parts to try and control while other acquisition and fusion efforts are going on.”
Integrating the IT systems of two companies often exposes this underbelly. Two different sets of policies, requirements and security cultures often means that some risks are not properly addressed.
Detection strategy is key
For Tom, the huge number of people affected combined with the length of time the hack has been going on is the most troubling aspect of this hack.
“The real root cause of this might never be known but when looking at other companies that have experienced similar situations for which F-Secure has performed incident response, the reason for this long detection and response time is usually a general lack of maturity in the detection strategy of the company when trying to find relevant information to track potential incidents, also called indicators of compromise.”
Tom advises making detection and response part of your company’s strategy for defending against targeted intrusions.
Encryption is a good thing, but no guarantee
“Companies should assume a breach and with that assume that their database of valuable information can be stolen by an attacker,” Tom said. “Following the defense-in-depth principle this is the right thing to do, to provide layers of protection or resistance to limit the impact of the attack.”
But customers still need to take precautions.
“After all is said and done, encryption and the encryption of data is still dependent on who has the keys to be able to decrypt, or, make the information readable again,” Tom said. “Having locks on doors is great, but not if you only doing it to say that you have locks and keep a key handy under every doormat.”
Watch out for copycats
Tom also noted that criminals are always watching. They may like what they see in this Marriott hack.
“This might spur more criminals to try and attempt the same against similar companies or hotel groups, now knowing what the gain can be. 500 million is an insane number but I’m sure there is someone out there right convinced they can top that. Sooner or later.”