Marriott's Mega-Breach: Many Concerns, But Few AnswersMassive Breach Prompts Calls for New Data Security and Minimization Laws
Marriott's massive data breach underscores the challenges companies face in securing systems that come via acquisitions as well as the perils of storing too much consumer data for too long, computer security experts say.
The data breach, which affected up to 500 million customers of Marriott's Starwood unit, saw names, email addresses, physical addresses, birthdates and passport numbers get exposed for up to 327 million individuals (see Marriott's Starwood Reservation Hack Could Affect 500 Million).
For some of those 327 million guests, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption, Marriott says. "There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken."
For the remaining guests, about 173 million, the information exposed was limited to name and sometimes other data such as mailing address, email address or other information, the hotel giant reports.
Already, the mega-breach has given rise to calls for stronger data protection legislation in the U.S.
Sen. Mark Warner, D-Virginia, one of the most active senators on data private and protection issues, says Congress should not accept the new trend of mega data breaches as normal.
"We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need," Warner said in a statement issued on Friday. "And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses."
Attorneys general in New York, Massachusetts, Maryland and Illinois have opened investigations. In the U.K., the Information Commissioner's Office says it is making inquiries.
Europe has set the standard for strict data protection laws with the General Data Protection Regulation, which went into effect in May. Tough financial penalties can be imposed on entities that fail to protect consumer data. Observers are watching closely to see how regulators will interpret its provisions and how hard they may punish violators.
You've Bought A Breach
Marriott says that attackers had access to its guest reservation network for its Starwood properties since 2014. In September 2016, Marriott International completed its acquisition of Starwood Hotels & Resorts Worldwide for $13 billion.
Starwood's brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Due diligence has taken on new levels of complexity in the era of big data breaches, which was exhibited most prominently during Verizon's acquisition of Yahoo. The deal was still being discussed when Yahoo disclosed a massive data breach, which caused the acquisition price to be reduced by $350 million and Yahoo to bear some of the cost of lawsuits and regulatory actions (see Breach Repercussions: Yahoo Reports Verizon Deal Delay).
"It's much harder to understand the cybersecurity risk you're acquiring than it is to audit financial statements when you buy another company," says Bruce Potter, chief information security officer at Expel.
In one sense, Verizon was lucky that Yahoo's misfortune was revealed before the deal got sealed. By comparison, Marriott says that one of its internal security tools only detected unauthorized access to the database on Sept. 8., some two years after its Starwood acquisition wrapped.
Inheriting another company's IT systems can pose all kinds of trouble, particularly if there isn't rigorous oversight and review, says Vivek Lakshman, vice president of innovation at ThumbSignIn. He says that breaches in general are becoming harder to detect, and IT teams can easily miss warning signs.
"It becomes even more complex when two organizations merge with each other and attempt to combine their disparate IT systems and processes," Lakshman says.
Marriott should have been on high alert from the start, given a problem Starwood disclosed in November 2015, which was the same month Marriott announced its plans to buy the company.
At that time, Starwood announced that its point-of-sale systems in some restaurants and gift shops had been infected with malware that collected the details of payment cards (see: Banks: Starwood Breach Not Isolated).
Security experts say these disclosures should be a red alert, not least for anyone engaged in merger and acquisitions discussions. "A prior breach is a real risk issue for a company to take on and needs to be considered," says Matt Aldridge, a senior solutions architect at Webroot. "Cyber hygiene needs to be embedded into business processes at all levels."
Opaque Breach Disclosure
Marriott has released little information on exactly how the breach occurred. Besides the internal security alert, Marriott says that an "unauthorized party had copied and encrypted information, and took steps towards removing it."
Jake Williams, founder of Rendition Infosec, a security consultancy in Atlanta, tweets that Marriott's statement is "either intentionally misleading or so vague as to be meaningless."
What does this even mean? It's either intentionally misleading or so vague as to be meaningless. Was the data discovered on the dark web? Probably not since it was encrypted. Was it discovered on another internal machine? How did Marriott know it was sensitive? 2/n pic.twitter.com/cQMPjbvngc— Jake Williams (@MalwareJake) November 30, 2018
"That sentence specifically leaves me with more questions than answers," he writes in another tweet. "Infosec peeps: work with your PR teams to draft statements that don't leave experts (and press) scratching their heads wondering if you know what you're talking about."
Williams also notes that "for a breach of this magnitude, with almost three months to investigate, the lack of detail in this statement is underwhelming."
Dark Web Data Sales
The identity of whoever had access to the reservation database hasn't been revealed, or else remains unknown. Over the next few months, investigators will try to figure out where the data may have ended up.
Underground marketplaces on the so-called dark web are the go-to place to sell stolen data, but it doesn't appear the Marriott data is being offered just yet. However, the public revelation of a breach can cause hackers to try to monetize data, particularly stolen payment card numbers, before issuers cancel cards that have a high potential of being used for fraud.
There are also worries over the leak of passport numbers. In the short term, much consumer data can go stale: email addresses, physical addresses, phone numbers. But static data, such as Social Security numbers or driver's license numbers, are less likely to change over time.
Passport numbers would fall into that bucket. The U.S. does change a passport number when someone renews their document. But adult passports remain valid for 10 years, and the cybercrime underground has taken notice.
"It is remarkably easy to request a replacement credit card from your financial institution, and you are not responsible for fraudulent activities," says John Gunn, chief marketing officer with OneSpan. "Try that with your passport. Stolen passports sell for a magnitude more than stolen credit cards on the dark web."
For fraudsters, aggregating data from different breaches can be powerful, says Michael Magrath, director of global regulations and standards at OneSpan. Mixing, matching and cross-verifying data from various breaches can help fraudsters create cobbled "synthetic" identities, which can be used for fraud.
"The Marriott breach only makes their task easier and more likely to succeed," Magrath says.
Blizzard of Breaches
Although Marriott's breach does appear to rank just behind Yahoo's but ahead of Equifax's breach as far as number of people affected, some consumers shrugged over yet another entry in the long list of breached companies.
is anyone else completely desensitized by all these data breaches? i didn't even blink twice when i read the news about #starwood #marriott. i'm pretty sure the dark web has all the data about me from about a thousand other breaches, so not exactly concerned here— Bianca Hudson (@beehudz) November 30, 2018
A Twitter account in the name of Bianca Hudson writes: "Is anyone else completely desensitized by all these data breaches? I didn't even blink twice when I read the news about #starwood #marriott. I'm pretty sure the dark web has all the data about me from about a thousand other breaches, so not exactly concerned here."