Marriott is investigating a data breach of its Starwood reservation system that could have exposed personal information for up to 500 million guests — making it the second-largest breach ever. That data could include passport numbers, email addresses, and phone numbers for 327 million people, while others may also have had credit card information accessed.
In a statement, Marriott says, “Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.”
Below are reactions from cybersecurity experts around the globe. New industry expert comments will be added as they are received.
Franklyn Jones, CMO, Cequence:
“Unfortunately, we can also expect to see a long tail effect from this breach. As this data finds its way to the dark web, these stolen credentials will be acquired by other bad actors. They, in turn, will orchestrate high volume bot attacks to see if the stolen credentials can also provide access to web, mobile, and API application services of other organizations.”
Satya Gupta, CTO and Co-founder, Virsec:
“What’s most disturbing about this attack is the enormous dwell time inside Starwood’s systems. The attackers apparently had unauthorized access since 2014 – a massive window of opportunity to explore internal servers, escalate privileges, moves laterally to other systems, and plot a careful exfiltration strategy before being discovered. All organizations should assume that the next threat is already inside their networks and won’t be caught by conventional perimeter security. We need much more careful scrutiny of what critical applications are actually doing to spot signs of internal corruption. We must reduce dwell time from years to seconds.”
Pravin Kothari, CEO of cloud security vendor CipherCloud:
“Let’s get this in context – the Marriott data breach may be one of the largest in history only exceeded by the Yahoo! Data breach in December of 2016 which purportedly lost approximately 1 billion records. Other large breaches included the Yahoo! Breach of about 500 million, announced in September 2016, and the MySpace data breach of 360 million announced in May 2016.
Other than the sheer number of records compromised, this breach stands out even more because of the dwell time by the attacker within Marriott’s networks. The illegal access has been active since 2014! Marriott apparently learned of the data theft on November 19, 2018. This is all too often the case with most large-scale breaches – even current industry averages within the U.S. of about 100 days are way too long.
Finally, critical data may have been encrypted but apparently, the data encryption keys were stored alongside the data and then both were then accessed by the criminals. If true, this literally provided the thieves with the keys to the kingdom. Best practice today is to encrypt the data at the edge so that it is continuously encrypted in transit (network, APIs, middleware), in use, and in the database. The data encryption keys must not be shared with any cloud providers and must be stored and protected separately.
Yesterday’s best practice cyber defense is no longer good enough. You must assume attackers will get into your network. You must have the leading edge technology in place to detect and shut down attackers that have compromised your network. You must have adequate defenses to protect and lock down your data, both in the cloud and on-premise. Implications
of the Marriott breach? Just to start, think of the compliance problems. Any company with 500 million records compromised today likely has data which is regulated under the EU GDPR. What fines may arise from this? What other compliance laws pertain to this data breach?”
John Gunn, CMO, OneSpan:
The significance of the Marriott breach is not in the number of records that were compromised, that is relatively small. Its impact on the victims is much greater than the numbers reveal. It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport. This may be an emerging trend with hacking organizations, to target large pools of passport data. Stolen passports sell for a magnitude more than stolen credit cards on the dark web.
Michael Magrath, Director, Global Regulations & Standards, OneSpan:
Cyber attacks such as Marriott’s will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk-based fraud detection technologies in their organizations but also making sure all third-party partners have equal cybersecurity measures in place.
Gary Roboff, Senior Advisor, the Santa Fe Group:
How could a breach like this continue for 4 years?
If encryption keys were compromised and payment data was in fact exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a “mass data dump exfiltration event” in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise.
While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence. In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly
Bimal Gandhi, Chief Executive Officer, Uniken:
“Invisible multifactor authentication solutions that rely on cryptographic key based authentication combined with device, environmental and behavioral technologies provide just such a solution. By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks.”
Colin Bastable, CEO of Lucy Security, a leader in cybersecurity training and detection:
“Kudos to Marriott for getting the news out as soon as they learned about the breach. It will be very painful for Marriott’s staff and shareholders, especially as this breach apparently started four years ago. Ninety-six percent of cyberattacks start with a phishing email and continue to badly impact consumers and the C Suite long after the attack. Marriott’s fast reporting shows some other recent cyberattack victims up in a bad light; they clearly had a plan in place for such a situation and executed on it.
In terms of consumer advice, consumers should never allow travel companies to consolidate different rewards or loyalty programs from airline and rental car companies, as this just broadens the consumer’s vulnerability footprint. It is a case of when, not if, consumers’ accounts are hacked – it will happen, so be prepared.”
Dedicated Call Center
Marriott has established a dedicated call center to answer questions you may have about this incident. The call center is open seven days a week and is available in multiple languages. Our dedicated call center may experience high call volume initially, and we appreciate your patience.
Email Notification
Marriott began sending emails on a rolling basis on November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.
Free WebWatcher Enrollment
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. Guests from the United States who complete the WebWatcher enrollment process will also be provided fraud consultation services and reimbursement coverage for free. Click on your country, if listed, to begin the enrollment process.