By: Alex Shanteau, Senior Security Consultant, MAD Security | December 19, 2018
The massive breach of the reservation system for Marriott’s Starwood subsidiaries is no doubt one of the largest breaches to date and highlights some of the most prevalent security challenges for the hotel industry. As consolidation continues amongst hotel chains to achieve scale across more geographies, the likelihood of these types of breaches will continue to rise. In this post, I’ll analyze what exactly happened and how other hotel chains can avoid such breaches.
On November 30, 2018 Marriott announced that “On September 8, 2018, (Marriott) received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database…Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”
Four years, that’s how long the attackers had been in their network. Technical details about the compromise were not disclosed, but I wonder if they just installed a monitoring tool and when they turned it on, they managed to finally see the indicators of compromise, or perhaps the attackers had been in the network for that long but hadn’t attempted to access or exfiltrate data. My next question is what’s the damage?
“contains information on up to approximately 500 million guests”
That is a lot of people, even larger than the Equifax breach at 148 million people. So what kind of data did the attacker access?
“the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
Breaking this down, passport numbers are unusual for a breach, and the rest of the information is undoubtedly going to result in people getting an influx of phishing calls and emails. One of my biggest concerns is related to the account information. Since many of us are guilty of reusing passwords across accounts, it makes it much easier for attackers to enumerate accounts on services such as PayPal, leading to additional issues for consumers.
If this was the extent of the data stolen, then it would still be a terrible breach…but they go on to say:
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128) …There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
So not only was there poor management of the encryption keys to begin with, but Marriott cannot confidently say what was taken, leaving the damage catastrophic to both Marriott’s customers and their brand. With 500 million customer records compromised, there was surely a massive amount of data leaving the network that should have been detected as well as other indicators of compromise.
What can other hotel chains learn from this breach?
As with other verticals that engage in mergers and acquisitions of other entities, acquisition often also means acquiring the cybersecurity issues of that entity as well—including low and slow attacks that have been going on for years. If this breach had occurred in any other industry like banking or retail, the result would play out the same way: with the acquiring company suffering a reputational hit that would cost millions (if not billions). When a company acquires, merges with, or provides third-party access to their systems, that company is still totally and inescapably responsible for the due diligence that protects their enterprise.
On the retail side, you may recall that Target suffered a fate similar to Marriott in 2013 when attackers used stolen credentials to gain access to Target’s HVAC and refrigeration contractor, Fazio Mechanical Services, to infiltrate Target’s internal web application hosted on the internal network. This eventually led to theft of roughly 70 million Target customers’ Personally Identifiable Information (PII) and 40 million credit cards. The takeaway here is that if you are an organization with multiple third-party vendors, it’s ideal to implement a vendor risk management framework that allows you to establish multiple lines of defense that holds both you and your vendor accountable, including regularly auditing vendors to a cyber framework (NIST, ISO, CSF, etc.) and requiring regular technical testing to find potential gaps in defenses.
In addition to a vendor risk management framework, organizations should also invest in a solid cybersecurity strategy that includes strong preventative measures and a proper monitoring and alerting strategy to ensure data breaches are detected in a timely manner. These measures should include many of the same recommendations for protections of your vendors, including regular gap assessments and technical testing.
Implementing a robust security strategy can be overwhelming for many companies, especially those with limited IT staff. Organizations should consider looking to external consultants to assist with these knowledge gaps and to ensure that their organizations are secure, and that their sensitive data is protected. This may involve engaging a Managed Security Services Provider (MSSP) that will conduct a penetration test or a gap assessment to ensure compliance to cybersecurity frameworks as well as effectiveness of your overall cybersecurity posture. An MSSP can provide a proactive and cost-effective solution for organizations to detect and respond to cybersecurity threats 24x7x365. Not only does this allow your core IT team to focus on other revenue-driving aspects of IT, but it saves you the overhead cost while simultaneously giving you the peace of mind that comes with having cybersecurity expertise at your fingertips.
What to do if you were affected
For customers that were affected, Marriott has released a website with information concerning the incident, answers to common questions, and steps you can take, here. Additionally, if you have business accounts associated with Target that you may feel are affected, you should consider conducting Darkweb monitoring and mandating organizational-wide password changes.
For those organizations reading this post as a cautionary tale, begin with understanding your vendor environment so you can implement a vendor risk framework as we’ve discussed, and then implement a strategy of continuous monitoring, enabling multi-factor authentication across your user-base, and mandating password changes quarterly. Last but not least, consider an MSSP to handle all of this for you so you can focus on growing your business!
If you’d like to learn more about our Managed Security Services, click here.