Marriott Data Breach – What the Experts are Saying

Marriott is investigating a data breach of its Starwood reservation system that could have exposed personal information for up to 500 million guests — making it the second-largest breach ever. That data could include passport numbers, email addresses, and phone numbers for 327 million people, while others may also have had credit card information accessed.

In a statement, Marriott says, “Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.”

Below are reactions from cybersecurity experts around the globe.  New industry expert comments will be added as they are received.

Franklyn Jones, CMO, Cequence:

“Unfortunately, we can also expect to see a long tail effect from this breach.  As this data finds its way to the dark web, these stolen credentials will be acquired by other bad actors. They, in turn, will orchestrate high volume bot attacks to see if the stolen credentials can also provide access to web, mobile, and API application services of other organizations.”

Satya Gupta, CTO and Co-founder, Virsec:

“What’s most disturbing about this attack is the enormous dwell time inside Starwood’s systems. The attackers apparently had unauthorized access since 2014 – a massive window of opportunity to explore internal servers, escalate privileges, moves laterally to other systems, and plot a careful exfiltration strategy before being discovered. All organizations should assume that the next threat is already inside their networks and won’t be caught by conventional perimeter security. We need much more careful scrutiny of what critical applications are actually doing to spot signs of internal corruption. We must reduce dwell time from years to seconds.”

Pravin Kothari, CEO of cloud security vendor CipherCloud:

“Let’s get this in context – the Marriott data breach may be one of the largest in history only exceeded by the Yahoo! Data breach in December of 2016 which purportedly lost approximately 1 billion records. Other large breaches included the Yahoo! Breach of about 500 million, announced in September 2016, and the MySpace data breach of 360 million announced in May 2016.

Other than the sheer number of records compromised, this breach stands out even more because of the dwell time by the attacker within Marriott’s networks. The illegal access has been active since 2014! Marriott apparently learned of the data theft on November 19, 2018. This is all too often the case with most large-scale breaches – even current industry averages within the U.S. of about 100 days are way too long.

Finally, critical data may have been encrypted but apparently, the data encryption keys were stored alongside the data and then both were then accessed by the criminals. If true, this literally provided the thieves with the keys to the kingdom. Best practice today is to encrypt the data at the edge so that it is continuously encrypted in transit (network, APIs, middleware), in use, and in the database. The data encryption keys must not be shared with any cloud providers and must be stored and protected separately.

Yesterday’s best practice cyber defense is no longer good enough. You must assume attackers will get into your network. You must have the leading edge technology in place to detect and shut down attackers that have compromised your network. You must have adequate defenses to protect and lock down your data, both in the cloud and on-premise. Implications
of the Marriott breach? Just to start, think of the compliance problems. Any company with 500 million records compromised today likely has data which is regulated under the EU GDPR. What fines may arise from this? What other compliance laws pertain to this data breach?”

John Gunn, CMO, OneSpan:

The significance of the Marriott breach is not in the number of records that were compromised, that is relatively small. Its impact on the victims is much greater than the numbers reveal. It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport. This may be an emerging trend with hacking organizations, to target large pools of passport data. Stolen passports sell for a magnitude more than stolen credit cards on the dark web.

Michael Magrath, Director, Global Regulations & Standards, OneSpan: 

The vast stores of personally identifiable data on the Dark Web continue to grow at historic rates, and fraudsters have rich resources with which to steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information. For example, the personal data obtained in one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches, and the Marriott breach only makes their task that much easier and more likely to succeed.  Having the databases in the same place makes things even easier for the bad guys.

Cyber attacks such as Marriott’s will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk-based fraud detection technologies in their organizations but also making sure all third-party partners have equal cybersecurity measures in place.

Gary Roboff, Senior Advisor, the Santa Fe Group:

How could a breach like this continue for 4 years?

If encryption keys were compromised and payment data was in fact exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a “mass data dump exfiltration event” in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise.

While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence. In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly

Bimal Gandhi, Chief Executive Officer, Uniken

“Events like this Marriott Starwood breach underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication, given the sheer proliferation of stolen and leaked PII now available on the Dark Web.
“Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well.  Hotels, hospitality companies, banks, and eCommerce entities are all moving to newer ways to enable customers to authenticate themselves across channels, without requiring any PII.
“Customer-facing commerce and financial institutions seeking to thwart credential stuffing are increasingly seeking to migrate beyond PII authentication to more advanced methods that do not require the user to know, manufacture or receive and manually enter a verification factor, in order to eliminate the ability for bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network

“Invisible multifactor authentication solutions that rely on cryptographic key based authentication combined with device, environmental and behavioral technologies provide just such a solution. By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks.”

Colin Bastable, CEO of Lucy Security, a leader in cybersecurity training and detection:

“Kudos to Marriott for getting the news out as soon as they learned about the breach. It will be very painful for Marriott’s staff and shareholders, especially as this breach apparently started four years ago. Ninety-six percent of cyberattacks start with a phishing email and continue to badly impact consumers and the C Suite long after the attack. Marriott’s fast reporting shows some other recent cyberattack victims up in a bad light; they clearly had a plan in place for such a situation and executed on it.

In terms of consumer advice, consumers should never allow travel companies to consolidate different rewards or loyalty programs from airline and rental car companies, as this just broadens the consumer’s vulnerability footprint. It is a case of when, not if, consumers’ accounts are hacked – it will happen, so be prepared.”

Dedicated Call Center

Marriott has established a dedicated call center to answer questions you may have about this incident. The call center is open seven days a week and is available in multiple languages. Our dedicated call center may experience high call volume initially, and we appreciate your patience.

Email Notification

Marriott began sending emails on a rolling basis on November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.

Free WebWatcher Enrollment

Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. Guests from the United States who complete the WebWatcher enrollment process will also be provided fraud consultation services and reimbursement coverage for free. Click on your country, if listed, to begin the enrollment process.