In a notice posted on its website, Marriott International announced that approximately 5.2 million guests could be affected by a recent data breach. According to the company, a property system, used by hotels that are operated and franchised under Marriott's brands, was accessed by the compromised login credentials of two employees from a franchise property. The company learned of the data breach at the end of February but believes that the activity started in mid-January.
Upon discovery, the company disabled the compromised login credentials, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.
According to Marriott, Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers were not compromised. Instead, it believes information compromised included:
- contact details (e.g., name, mailing address, email address, and phone number)
- loyalty account information (e.g., account number and points balance, but not passwords)
- additional personal details (e.g., company, gender, and birthday day and month)
- partnerships and affiliations (e.g., linked airline loyalty programs and numbers)
- preferences (e.g., stay/room preferences and language preference)
Marriott carries insurance, including cyber insurance, commensurate with its size and the nature of its operations, and the company is working with its insurers to assess coverage. The company does not currently believe that its total costs related to this incident will be significant.
INDUSTRY EXPERT COMMENTARY
On how the criminals gained access to guest information....
"A frequent goal of targeted phishing attacks is credential theft and account takeover, which can be leveraged for attacks," said Chris Hazelton, Director of Security Solutions at Lookout. "While we don’t have all the details yet, it is highly likely that this breach started with a phishing attack which enabled a threat actor to steal the credentials of two employees at a Marriott franchise. Acquiring these credentials gave the cybercriminals nearly unlimited access to Marriott customer records. Luckily this data did not include highly sensitive information, such as passwords or payment information. For this reason, the attack may have targeted a CRM system or other non-financial enterprise app."
"Recent Vectra research shows that privileged access from unknown hosts occurs inside every industry, leading to unintended exposure of critical systems," said Chris Morales, head of security analytics at Vectra. "Yet these privileged accounts rarely receive direct oversight or technical control of how they are used, even when privileged access management tools are in place. It is this lack of oversight or understanding of how privileged accounts are being used that creates the operational and financial risk for organizations. If used improperly, privileged accounts have the power to cause much damage, including data theft, espionage, sabotage, or ransom."
“Lost, stolen, or misused employee credentials leading to data breach is an important conversation we need to be having, because identity and access management and multi-factor authentication are often overlooked technologies," said Sam Pfanstiel, Director of Security Consulting Services, ControlScan. "We have seen privilege abuse and misuse behind a growing number of attacks. While certainly we don’t know all the details surrounding this breach—whether the credentials were stolen through a targeting phishing attack, or if this was an insider threat—we do know that the current way of protecting credentials and user authentication simply isn’t working. A return is in order to strong authentication, principle of least privilege, and active security monitoring to curb this disturbing trend."
On not implementing security basics...
“The essential practices of protecting systems and applications are well known - they are enumerated in the NIST Cybersecurity Framework. Companies can choose to either proactively implement those practices consistently in their systems, or they can choose to be frequently compromised. There is no other alternative," says Kelly White, CEO, RiskRecon. "This breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring. Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior.”
On how cyber criminals will use compromised data...
“The biggest threat Marriott guests might face as a result of this breach is targeted phishing," said Paul Bischoff, privacy advocate with Comparitech. "Guests should be on the lookout for targeted messages from scammers posing as Marriott or a related company. Don't click on links or attachments in unsolicited emails. Check email addresses and don't just trust display names. If you're uncertain as to whether a message is legitimate or not, ask Marriott using contact information found through Google.”
“Account takeover (ATO) attacks are a major threat to any business," says Ameet Naik, security evangelist at PerimeterX. "It is much simpler and lucrative to walk in through the front door with valid stolen credentials than to look for holes in an organization's cybersecurity defenses. With the vast volume of stolen credentials out there, hackers launch credential stuffing attacks using automated bots. Eventually they find a username and password that works that will let them buy goods for resale, drain loyalty accounts of points or steal personal information. The data stolen from this breach will invariably make it to the dark web and further fuel this cycle of ATO attacks.
“In the past month we have seen a significant increase in the percentage of ATO traffic to travel and hospitality sites, surging to as high as 80% of all login attempts. This shows that while travelers are staying home, the hackers are still out and about," Naik adds. "For enterprises, it is extremely important to use multi-factor authentication for admin accounts, and use bot management solutions to limit automated attacks. For consumers, it is best to use different passwords on every site and to lock down their credit reports."
On what Marriott can do to make it up to consumers...
“Consumers have grown used to the hospitality industry’s data incontinence, but leaked email addresses mean that the risk continues for consumers long after the initial attack is over," said Colin Bastable, CEO of security awareness training company Lucy Security. "Credit monitoring is a cliché – does anyone care anymore? How about giving Bonvoy members some more points to make up for the years of phishing emails that will result? And consumers really do need to stop linking rewards programs.”
On making data useless to hackers...
"Payment card data breaches have captured the headlines since late 2013," said Ruston Miles, CSO at Bluefin. Hackers monetize this data by selling it to fraudsters on the dark web. However, there are other motives that drive the theft of sensitive data such as disrupting business or inflicting reputational damage. Criminals work tirelessly to gain access to protected networks. No matter what their motives are, rendering sensitive financial and personal data useless to hackers should be a top priority so that in the event of a breach, the data cannot be compromised. Examples of this in action are businesses using PCI-certified encryption and tokenization to devalue sensitive records."
On how criminals don't take a break, even during pandemics....
“The hospitality sector is already under immense strain, but cyber security needs to remain a priority even during this challenging moment," said Marcus Fowler, Director of Strategic Threat at Darktrace. "This breach should serve as a wake-up call to all in the hospitality sector – and other industries being negatively impacted by the pandemic – that they are still targets. Attackers won’t wait to attack until business has stabilized, or until security and IT teams have completed the transition to remote work. Instead, adversaries will look to use this uncertainty and upheaval to their advantage – striking while businesses are struggling to adapt. Unfortunately, the risks of business email compromise are exacerbated when employees are working remotely, and are hungry to receive information from colleagues or updates from their company. Employees need to remain on high alert for targeted phishing campaigns and businesses need to find ways to support their security teams. Technology like AI that can streamline investigations and stop attacks before they can do damage can buy back valuable time for overwhelmed teams.”
"With Marriott, hackers gained access using login credentials of two employees from a franchise property," said Chris Day, SVP & GM, Immunity, at enterprise cybersecurity company AppGate. Once the breach was discovered, Marriott began investigating and defensively implemented heightened monitoring. Of course at that point, it’s too late. In order to truly protect your business, you must take an offensive approach to cybersecurity. The only way to know you’re secure is to test your system, and the only way to test it is to try and hack it. Having an offensive mindset will be especially important as we navigate a deluge of new attacks related to COVID-19. Businesses should be actively looking to fortify their cybersecurity measures."
"A breach like this shows that even major global organizations are susceptible to cyberattacks," says Logan Kipp, Director of Sales Engineering at SiteLock. "While national hospitality organizations have more resources to devote to cybersecurity measures than your local bed and breakfast, both are a prime target for hackers because they sit on valuable customer data and financial information. For Marriott, rebuilding trust will be paramount since it's the company’s second major breach in recent memory. Every breach, whether your organization is affected firsthand or not, is a reminder to ramp up cybersecurity efforts and be proactive about evolving threats. Organizations cannot forget that even though they are out of office, hackers are on the clock 24/7."