On November 30, Marriott announced it had discovered a data breach dating back to 2014 on the recently acquired Starwood Guest Reservation Database. The breach could affect up to 500 million guests. The company first learned of the breach on September 8 when an alert from an internal security tool notified the company of an attempt to access the Starwood guest reservation database in the United States. However, the unauthorized party had copied and encrypted the information. It wasn't until November 19 that Marriott was able to decrypt the information and determine which of its guests were affected.
According to the company, compromised information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott said it has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
While some might be shocked by the scale of this data breach, many security experts were not. In fact, the hospitality industry regularly falls behind other industries when it comes to data protection.
"Based on our analytics, the hotel industry dramatically underperforms long regulated industries such as banking and healthcare in key areas of cyber security," says Kelly White, founder and CEO of RiskRecon. "For example, in comparison with banks, hotels have a 400% higher rate of critical software vulnerabilities present in internet-facing systems that store and process sensitive, regulated information. In comparison with healthcare, hotels have a 180% higher rate."
Details of this particular breach, however, have both consumers and cybersecurity experts wondering: How exactly did this breach occur and why did it take four years for Marriott to discover it? How could the compromised information affect guests in the future and what will be some of the legal ramifications?
To find out, Hospitality Technology spoke with a range of cybersecurity experts and a lawyer to ascertain their opinions.
What are some of the significant things to note about this breach?
Tom Callahan, Director of MDR Services, ControlScan: “Organizations like Marriott International have technologies and teams in place to actively detect and respond to cybersecurity intrusions in real-time. A four-year lapse in detection signals a significant process flaw. In other words, there were intrinsic gaps in human oversight that resulted in missed warning signs and ultimately, inaction. You can have the best security tools money can buy, but if you don’t invest equally in the people interacting with the technology, then you’re making a costly mistake.”
Matt Aldridge, senior solutions architect, Webroot: "What’s interesting about this incident is that Starwood was breached two years prior to the Marriott acquisition, which brings up the question of: 'To what extent should Merger & Acquisition due diligence extend to cybersecurity audit, and if indeed this was done at the time, why did it not uncover this issue?' A prior breach is a real risk issue for a company to take on, and needs to be considered. Cyber hygiene needs to be embedded into business processes at all levels."
Ruston Miles, Founder and Chief Strategy Officer, Bluefin Payment Systems: "The ITRC (Identity Theft Resource Center) says that there were nearly 1,600 breaches in 2017. But, breaches are only known when the data theft is found out or reported on. Hackers don't like to get caught. I believe the 1,600 reported breaches are only the tip of the iceberg and that most vulnerable and breached systems go completely unknown and unreported. In these cases, hackers put malware like keyloggers and RAM scrapers on unsuspecting merchant systems and silently siphon payment card data off daily. They stay under the radar for years in many cases."
What does the length of this breach indicate about server and software vulnerabilities at Marriott and within the hospitality industry as a whole? What can be done to address those vulnerabilities?
Rusty Carter, VP, Product Management, Arxan: "In this situation, the attackers had access since 2014 which shows that for years they went undetected and were able to access sensitive data about individuals and their travel. This attack sheds light on the fact that many enterprise backend systems and databases are vulnerable because they must trust the application accessing them. Furthermore, the massive size of this breach further highlights the need for regulation to protect consumers. Companies need to protect their applications from tampering and reverse engineering attacks if they want to keep (or rebuild) their customers' trust. Key to minimizing the impact and likelihood of success is developing strategies that include strong detection and reporting of the health and status of applications both inside and outside the company's network."
Ian Eyberg, CEO, NanoVMs: "This breach happened because the underlying operating systems are completely broken. The underlying systems - be it Windows or Linux, the two most prevalent server-side operating systems today - are broken by design because they predate both wide-scale commercialized virtualization (a la vmware) and the "cloud" (aws). They are inherently designed to run multiple programs on the same server which is what allows attackers to run their programs on them (like connecting to a database and slurping down 500M records). This doesn't have to be the case though - newer operating systems exist that allow you to run only one program on a given virtual machine (server) - the one that was designed to run there - not the attacker’s program. Hotels need to start looking at preventive measures such as only using single process systems that limit only running the single program that was designed to run on a given server thus not allowing attackers to run theirs."
Ruston Miles, Founder and Chief Strategy Officer, Bluefin Payment Systems: "If the payment card data was tokenized, or encrypted with Point-to-Point Encryption (P2PE), then even though the hacker has breached the merchant's systems, they cannot see the card data they have taken. In other words, while they may have breached the systems, they cannot compromise the data. This process is called devaluing the data. On top of helping merchants mitigate the risk of card data compromise in the event of a breach, data devaluation techniques like PCI-certified P2PE can also reduce a merchant's PCI security compliance requirements by as much as 300 security controls or 90%."
Ray Walsh, privacy expert and cyber security advocate, BestVPN.com: "The attack may point to out-of-date or badly implemented security on point of sale and reservation systems. Unfortunately for Marriott, which now faces a massive class-action lawsuit, it is possible that the hack was performed by infiltrating systems using a phishing attack. Such methods are relatively crude but can lead to infection with sophisticated malware and trojans that permit hackers to download secondary exploits from Command and Control servers. If the past is anything to go by, the consequences for the Marriot will likely be an expensive out of court settlement."
Marriott stated that the breach only affected the Starwood Guest Reservation Database. Is it possible that the hackers gained access to other databases – either Marriott or Starwood?
Matt Aldridge, Senior Solutions Architect, Webroot: "There’s a risk that this attack may have spread from Starwood systems into Marriott’s systems. It will be interesting to learn more as further details emerge, including whether the encryption keys were also ex-filtrated, unlocking the payment cards of millions of Starwood customers. The travel and hospitality industry are a prime target for cyberattacks thanks to the wealth of data they hold – from payment information through to passport detail – which can be used to commit further crimes."
Tim Erlin, VP, Product Management and Strategy, Tripwire: “Right now, we’re at the front end of the breach response process, but we should expect that there’s much more to learn about this incident. It’s not unusual for the scope of a breach to expand after the initial disclosure. It’s extremely unusual to have discovered the full extent before public announcement is made.
Consumers are concerned, of course, about the personal information that was stolen. Why would hackers be interested in stealing this information? What processes could Marriott implement to mitigate fraudulent transactions enacted with the stolen information?
Rusty Carter, VP, Product Management, Arxan: "This database contains a massive amount of information about likely high-value targets – individuals who can afford to stay at Starwood properties – and contains a treasure trove of information that hackers can use to build sophisticated, comprehensive dossiers on these victims. Including passport information and date of birth, this makes wide-spread impersonation and fraud much more likely. Customers should first check in with their financial institutions, and take advantage of additional security measures wherever their financial institutions offer them. Given the extent of data stolen, they should also closely watch for fraud in things like their tax returns – which leverage some of this same personal information."
Michael Reitblat, CEO & Co-Founder, Forter: “The Marriott hotel hack is the latest in an alarming series of data breaches that have compromised the personal information of more than one-third of consumers, leading to the recent spike in fraud attack rates. This breach is particularly dangerous because of its size and the variety of data stolen, including payment card numbers. Forter’s AI-driven fraud prevention technology processes $55 billion worth of transactions across 188 countries each year, giving us visibility into how fraudsters are using sensitive information stolen in hacks to take advantage of e-commerce retailers and consumers. Popular attack methods include account Takeover (ATO) – when criminals hijack personal details, log in to an online account, and masquerade as a returning customer – and loyalty program fraud – when fraudsters steal and monetize customer’s loyalty points after gaining access to an account through ATO. ATO increased 31% year over year as of Q3 2017, which reinforces why online merchants like hospitality companies must be diligent about using machine learning, combined with expert insight and research, to stop fraud at every touchpoint along the customer journey instead of just focusing on checkout.”
Ryan Wilk, VP of Customer Success, NuData Security, a Mastercard company: “This news needs to remind merchants and other companies transacting online that their systems are never entirely safe from breaches; these can happen at any time, and companies need to have their post-breach process ready. This plan includes the implementation of a stronger verification framework so they can still correctly authenticate their good users despite potentially stolen credentials. This sort of data exposure is why so many organizations – from the hospitality sector through to eCommerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioral analytics that identify customers by their online behavior thus mitigating POS-breach damage as hackers are not able to impersonate individual behavior."
What are some of the possible legal ramifications for this data breach?
Paige Boshell, managing member of Privacy Counsel: "In the U.S., the breach will likely attract scrutiny from the Federal Trade Commission and state attorneys general. According to Marriott's statement, law enforcement is already involved, although this appears to be an external hack (rather than criminal activity by Starwood or Marriott). The availability of consumer remedies by law suits (including class actions) will depend on the fact of the breach and the non-discovery of the breach, and whether or not Starwood and/or Marriott was deficient in their security practices. More importantly, the actual occurrence of harm to consumers (such as credit fraud or identity theft) may determine the availability of this redress. It may, however, be a mitigating factor if Starwood's security practices were less reasonable and Marriott's more stringent and Marriott may receive the benefit of any doubt for having found and resolved the attack; it will all depend on the facts as they unfold."