‘Tis the season for holiday crafted phishes, scams, and a range of cyberattacks. Experts list the hottest holiday hacks for 2018.
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott engaged security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.
The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.
For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using AES-128. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
Here are some reactions Help Net Security received about this incident.
Ollie Whitehouse, Global CTO, NCC Group
Marriott Hotels should have identified this breach through their cyber due diligence of Starwood in 2016 when it acquired the company. As result of buying a breach they will face a number of challenges at a board level around the levels of governance and diligence within the business. Had it performed a detailed compromise assessment as part of its due-diligence activity, the organisation’s board would have been informed of the breach and been able to make a decision based on risk or put other warranties in place.
Since the compromise started in 2014, the breach doesn’t fall under the remit of GDPR. However, the fallout would be incredibly severe under this regulation, and therefore any organisation looking to undergo an M&A deal now or in the future should learn from this example and ensure a comprehensive cyber security and compromise assessments are carried out to inform their understanding of risk.
Matthew McKenna, VP EMEA, SecurityScorecard
Although the Starwood Marriott Merger was completed in September 2016, the aspects of merging organisations of this many brands and complexity operationally, from an IT, risk and security perspective is daunting. The likelihood of exploitable remnants of security vulnerabilities being left behind over the years that could have been exploited is one potential likelihood. Did Starwood and Marriott have clear visibility and oversight of the cyber risk implications of merger early enough to foresee such risk and at a second dimension did they have a strong enough understanding of the risk their supply chain was introducing into the organisation and to the overall security of their data?
With the ever-changing nature of cyber security threats, no company can ever truly guarantee even its own internal security. With the added complexity of connections to third party providers and supply chains, ensuring security becomes an even more difficult task.
Matt Aldridge, Senior Solutions Architect, Webroot
What’s interesting about this incident is that Starwood were breached two years prior to the Marriott acquisition, which brings up the question of “To what extent should Merger & Acquisition due diligence extend to cybersecurity audit, and if indeed this was done at the time, why did it not uncover this issue?” A prior breach is a real risk issue for a company to take on, and needs to be considered. Cyber hygiene needs to be embedded into business processes at all levels.
There’s a risk that this attack may have spread from Starwood systems into Marriott’s systems. It will be interesting to learn more as further details emerge, including whether the encryption keys were also exfiltrated, unlocking the payment cards of millions of Starwood customers. The travel and hospitality industry are a prime target for cyberattacks thanks to the wealth of data they hold – from payment information through to passport detail – which can be used to commit further crimes.
Matt Walmsley, EMEA Director, Vectra
With a real treasure trove of valuable personal information having been lifted, this is undoubtedly going to damage the Marriot Starwood brands, and could have a significant direct impact for their affected customers identity assurance.
With more than two months between the initial detection time on 8th September 2018 and public disclosure of the breach, depending on what they knew and when, the disclosure window may contravene the GDPR 72-hour notification requirement.
With regards to the breach itself, exfiltrating the data inside encryption may have been an attempt to circumvent security controls such as data loss prevent systems. Having systems watch for exfiltration like behaviours, rather than trying to inspect the data payloads can provide a way for handling this challenge. It’s not yet clear exactly what tool flagged the attack but it’s reasonable to believe, based upon their publish description, that it was only detected late in the attack lifecycle. Attackers generally have to make multiple steps and behaviours before they are able to steal or manipulate behaviours. Therefore, detection of these early stage behaviours is key.
This breach also demonstrates that incident response continues to take too long, and in many cases the result is security teams trying to figure out “what just happened, how do we stop it happening again?” rather than spotting, understanding and closing down an attacker earlier in its lifecycle to minimise or stop a breach occurring.
Equally, current manual threat hunting and forensics take too long, and we need to find ways to reduce this. It’s here that automation of some of the tasks, often powered by AI, can significantly reduce the noise of alerts and unrelated information that analysts have to plough through to build up an understanding. In this way, analysts and forensic investigators can augment themselves with automated tools that allow them to act with speed and efficacy that humans alone simply cannot achieve.”
Joseph Carson, Chief Security Scientist, Thycotic
What is shocking about this data breach is that the cybercriminals potentially got away with both the encrypted data as well as the methods to decrypt the data which appears that Marriott have not practiced adequate cybersecurity protection for their customers personal and sensitive information.
The major problem of such data breaches in the past is that those companies who have been entrusted to protect their customer data have only offered up to one year of identity theft protection. But, many of the identity information that is stolen typically can last between 5-10 years such as drivers licenses and passports. So while victims may get some protection, they are at serious risk for years unless they actively replace compromised identity documents which is done at a cost. Companies who fail to protect their customers should be at least responsible for the cost of replacing compromised information and documents rather than deflecting responsibility and accountability.
This latest major data breach will raise questions to when Marriott knew about the breach and whether or not they complied with global regulations such as the EU General Data Protection Regulation which imposes financial penalties of 20m Euros or 4% of annual turnover. If you are a customer of the latest Marriott data breach then it is important to know what data is at risk and consider taking extra precautions as well as changing your Marriott account password.
Tom van de Wiele, security consultant, F-Secure
The hack was targeted at a part of the company that Marriott acquired as few years ago, being Starwood. This is a common trend where it’s usually not the main company that is targeted but rather attackers aim to compromise the softer underbelly of the organisation, which are usually IT service providers, contractors and other entities with a high number of interactions within the company. Interactions mean a lot of moving parts to try and control, while other acquisition and fusion efforts are going on. Things like the integration of IT systems and the security thereof take a lot of time between two companies that have to merge requirements, security policies, IT environments, technology stack and company cultures. Some risks are addressed, others are excepted.
The most disappointing part of this hack is the fact that the amount of data stolen is one of the bigger ones of the last few years and further made worse by the fact that the compromise had been going on for at least four years according to several online publications. This indicates that as far as security monitoring and being able to respond in a timely and adequate fashion, Marriott had severe challenges being able to live up to its mission statement of keeping customer data safe.
The real root cause of this might never be known but when looking at other companies that have experienced similar situations – for which F-Secure has performed incident response – the reason for this long detection and response time is usually a general lack of maturity in the detection strategy of the company when trying to find relevant information to track potential incidents.
Being able to prioritise what is important for the business i.e. customer data, and placing detection points at the right choke points while being able to respond to, is absolutely crucial for any company trying to guard and protect customer data of any kind.
Some media have reported the database being potentially encrypted is a good thing. Companies should assume a breach will occur and, with that, assume that their database of valuable information can be stolen by an attacker. Following the defence-in-depth principle, this is the right thing to do – to provide layers of protection or resistance to limit the impact of the attack. But the customers of Marriott and Starwood should still take precautions and not get their hopes up. After all is said and done, encryption and the encryption of data is still dependent on who has the keys to be able to decrypt, or, make the information readable again. Having locks on doors is great, but not if you are only doing it to say that you have locks and keep a key handy under every doormat.
Ilia Kolochenko, CEO, High-Tech Bridge
Looks like one more tremendous data breach related to insecure web applications. Many large companies still do not even have an up2date inventory of their external applications, let alone conducting continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. Obviously, one day such an approach will fail.
Regulations, such as GDPR, do not necessary help. In the past two years many companies were over-concerned to comply with GDPR on paper, ignoring practical security requirements due to limited budget and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cybersecurity and privacy.
Legal ramifications for Marriott and its subsidiaries can be tremendous, from harsh financial penalties from authorities in many countries to individual and class-action lawsuits from the victims.
Kevin Curran, Senior IEEE Member and Professor of Cybersecurity at Ulster University
This is not the largest data breach by any means although 500 million is no small number and potentially a very sensitive data breach. The sensitive data stolen in this breach can be used by criminals for identity theft where they could convince targeted individuals to give up vital, personal infomation, like a password or access to banking sites. The more convincing a phishing email is – the more likely someone is to reply to it.
The reason we are seeing so many data breaches this year is simply an indication of where we are in time. We are situated between a time where companies really face no penalties for poor storage and protection of data – apart from reputation loss – and a future world where organisations will be fined enormous sums for allowing data to leak. People are also in a semi-state of ignorance (or deliberate ignorance) of safe computing practices.
A recent report stated that cybercrime damage is to hit $6 trillion annually by 2021. Cyber theft is simply becoming the fastest growing crime in the world. Gartner reports that this rising tide of cybercrime has pushed cybersecurity spending to more than $80 billion in 2016. A major problem is that there is a severe shortage of cybersecurity talent with unfilled cybersecurity jobs to reach 1.5 million by 2019.
In the wider context, according to the National Crime Agency Cyber Crime Assessment 2016 report, cybercrime accounted for 53 per cent of all crimes in 2015. This percentage is rising steadily each year. We can expect to see cybercrime continue to develop into a highly lucrative and well organised enterprise.
Cyber criminals whether state sponsored or not are even beginning to devote funds to research and development as yet. Criminals are increasingly moving online because this is where the money is. The annual Mary Meekers state of the Internet report for 2017 reports that Network Breaches are increasingly caused by email spam/phishing. In fact spam has increased 350% in one year. The trend for ransomware is also showing worrying trends. Malwarebytes show increase from 17% in 2015 to 259% in 2016. Across the board we are seeing increases in attacks and breaches like Marriott will only make this problem worse.
Geoff Forsyth, CTO, PCI Pal
The fact that Marriott exposed the personal info of approximately 500M guests, with 327M members having their sensitive data including names, contact info, passport numbers, travel information, and potentially credit card numbers exposed, may be just the start of the company’s concerns.
We recently conducted consumer research which found that 83% of consumers will stop spending with a business for several months in the immediate aftermath of a security breach like the one faced by Marriot today. Even more significantly, over a fifth (21%) of consumers will never return to a business post-breach, representing a significant potential revenue loss. To put this in perspective, one fifth of Marriot’s reported $398M in Q1 2018 earnings equates to approx $79.6M.
Add to this the fact that consumers are starting to perceive certain sectors as more risky than others as a result of security breaches such as this one – the same research found that consumers already think the travel sector is the second most risky when it comes to security, after retail.
For consumer facing businesses, these findings should serve as a stark warning to ensure that they are implementing online and voice payment security measures, or face negative, and potentially long-lasting revenue and reputation consequences.
Tom Kellermann, Chief Cybersecurity Officer, Carbon Black
It appears there had been unauthorized access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organization – they’re getting in, moving around and seeking more targets as they go.
The report also found that more than a third (36%) of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organization’s affiliates, often smaller companies with immature security postures and this can often be the case during mergers and acquisitions. This means that data at every point in the supply chain may be at risk, from customers, to partners, to potential acquisitions.
Marriott has today revealed that its Starwood guest reservation database has been subject to unauthorised access “since 2014”. The scope of the data breach is huge, covering nearly five years and approximately 500 million guests.
The company has created a website to deal with the breach at info.starwoodhotels.com (note that at the time of writing it redirects to answers.kroll.com).
The company warns that if you made a reservation at one of its Starwood brands in the last five years then you are at risk:
If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved.
According to Marriott its Starwood brands include: Starwood branded timeshare properties, W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
What data is at risk?
It seems that different guests may be subject to different levels of exposure, according to how much data they shared. Until you have successfully confirmed your level of exposure with Marriott, you should assume the worst.
Information put at risk by the breach includes “some combination of” name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, payment card numbers and payment card expiration dates.
Although payment card numbers were encrypted, thieves may have stolen the information required to decrypt them.
Marriott has not revealed what events or security failures occurred (it may not yet know), but it has released some details about how it discovered the breach.
The company says that on 8 September 2018 it was alerted to an unauthorised attempt to access the Starwood guest reservation database. Security experts called in to deal with the incident revealed that unauthorised access to the Starwood network started as far back as 2014, two years prior to Marriott’s acquisition of Starwood.
On 19 November 2018, Marriott learned that a recent attempt to encrypt and exfiltrate data from the network had included data from the Starwood guest reservation database.
As you can see from what Marriott has revealed so far, it can be difficult for everyone concerned to tell the difference between data that has been put at risk and data that has actually been stolen.
Until they can confirm otherwise, victims would be prudent to assume they amount to the same thing.
What to do?
Website and call centres
If you think you may be affected, make a point of checking the official breach website regularly, particularly its frequently asked questions section. Remember, it’s likely that Marriott is still learning about the breach and adapting to the situation it finds itself in.
Marriott says it has established a dedicated, multilingual call centre that will be open seven days a week. You can find your local call centre number by clicking on the large Call Centre Information link on the main page of the breach website.
Marriott has begun sending emails to affected guests whose email addresses are in the stolen database. This represents a huge potential opportunity for email scams, so the company has sensibly set out some guidelines to help you identify if an email is genuine:
- The email will come from firstname.lastname@example.org
- It will not contain attachments or requests for information
- It will only link to the official website
Marriott is offering victims in the USA, UK and Canada a free, one year subscription to something it calls WebWatcher, which it describes as a service that monitors “internet sites where personal information is shared”.
Don’t Google it. If you Google WebWatcher you won’t find the monitoring service, you’ll find lots of links to spyware of the same name. Don’t sign up for that!
Do follow the links to country-specific versions of the official breach site. You cannot sign up for monitoring from the main breach page, you have to go to the all-but-identical versions of the page for the US, UK or Canada.
On those pages you’ll find local call centre phone numbers and large, grey (and surprisingly easy to miss) Enroll Now buttons. They link to an enrolment form for Kroll’s ID monitoring service, and they look like this:
- Review your accounts. Review your bank or payment card accounts for suspicious activity, and if you’re a member of Marriott’s Starwood Preferred Guests program, monitor your SPG account for suspicious activity too.
- Beware of scams. Criminals may look to exploit anxious victims with fake websites or phishing emails, messages and phone calls. These may be well disguised so don’t click on any links, and verify anything you encounter by heading directly to the official breach website or calling the official call centre numbers.
- Report ID theft. If you think you’re a victim of identity theft, or if your stolen information has been misused, contact your national data protection authority or local law enforcement.
- Change your password if you have a Starwood Guest Account. If you used the same password on other websites or services, change those too. Choose different, strong passwords for each one.