Lessons learned: The Marriott breach
Overview of the breach
Marriott International has been in the news throughout 2019 due to a major data breach discovered and investigated in late 2018. The data breach, which leaked 383 million records, makes Marriott the company with the second-largest data breach in history (behind Yahoo’s three billion account breach).
Beyond the size of the breach, it is also significant for the types of data that were leaked. Based on the most recent reports by Marriott, the following information was exposed:
- Guest payment card information: 9.1 million encrypted payment card numbers and expiration dates
- 385,000 of the cards were valid at time of breach
- Potentially “several thousand” unencrypted card numbers were breached
- Guest records: Records of 383 million accounts with Starwood (owned by Marriott) that include:
- Full names
- Mailing addresses
- Phone numbers
- Email addresses
- Rewards information
- Passport numbers: 18.5 million encrypted and 5.25 million unencrypted passport numbers of guests
A large quantity of the breached data was encrypted, and the investigation performed by third parties employed by Marriott uncovered no evidence that the attackers gained access to the decryption key for this data. However, the amount of unencrypted data (including passport data) makes this a significant breach despite the fact that most of the payment card and passport information was properly protected.
Timeline of the breach
Beyond the scope of the breach itself, this incident is also distinguished by how it was managed by Marriott. The investigation stretched over three months, with new data about the impacts being discovered throughout the process. In this section, we’ll explore some of the major milestones within the breach process.
- July 2014: Hackers penetrate Starwood systems
- September 23, 2016: Marriott officially completes acquisition of Starwood
- September 7, 2018: Accenture, a contractor managing the Starwood database for Marriott, becomes aware of the breach due to an alert regarding an unusual SQL query
- September 8, 2018: Accenture notifies Marriott of the breach
- September 10, 2018: Marriott hires third-party investigators to determine the scope of the breach
- September 17, 2018: Investigators discover a remote access Trojan (RAT) on Starwood systems
- October 2018: Mimikatz, a tool commonly used to extract passwords from computers, is discovered on Starwood systems
- November 2018: Investigators find that a hacker has been present since at least July 2014
- November 13, 2018: Two encrypted, compressed files are found to have been previously deleted from the system
- November 19, 2018: Files are decrypted and prove to include the breached data
- November 26 and 26, 2018: Two other tables from the Starwood Guest Reservation Database were found to be copied in 2015/2016, but the files could not be recovered or proven to be stolen
- November 29, 2018: Marriott informs the FBI, data security regulators, credit card companies and other government bodies of the breach
The scope of the Marriott breach makes it the organization responsible for the second-largest breach in history (behind Yahoo). A deep dive into the details of the breach and how it was handled reveal several important takeaways for Marriott and other organizations collecting and storing large amounts of sensitive data.
From initial discovery to the end, the Marriott breach investigation took approximately three months to complete — a large part of which is probably due to the amount of effort required to search through over four years of log data. In the end, Marriott reported costs of the incident at about $72 million, of which $71 million was covered by insurance.
The fact that Marriott was only forced to pay a small percentage of the costs of the breach out of pocket demonstrates the value of cyber-insurance to large businesses. However, Marriott has stated that it anticipates cyber-insurance becoming too expensive or unavailable in the future.
Data and network security
A large portion of the impact of the breach was caused by poor data management policies at Starwood and Marriott. The compromised data included 5.25 million unencrypted passport numbers and, potentially, unencrypted credit card data for several thousand users. The sensitivity of this data means that it should have been stored only in an encrypted format. Marriott now plans to store passport data in an encrypted format and is considering storing the data at each location to minimize the impact of a breach of any one system.
In March 2019, Arne Sorenson, CEO of Marriott, testified before the Senate Committee on Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations. His testimony stated that after the Starwood breach, they were deploying several additional protections on the Starwood and Marriott networks.
In the aftermath of the incident, endpoint protection solutions were deployed to 70,000 devices on the Starwood network, and deployment has been accelerated to an additional 200,000 devices on both networks. Marriott has also implemented IP whitelisting for the affected database and is implementing network segmentation to protect sensitive data.
While these are excellent steps to take, they should already have been in place on the Starwood and Marriott networks prior to the breach. Network segmentation is required for compliance with PCI-DSS, the standard that governs organizations collecting and storing payment card information. A significant takeaway for Marriott from the breach is the importance of compliance with such standards.
M&A due diligence
Marriott was not responsible for Starwood systems during many of the stages of the Starwood breach. Marriott only acquired Starwood after the hackers had access and may have exfiltrated some data. Marriott also had limited or no visibility into Starwood’s systems before the acquisition was completed (as the two organizations were competitors). However, they were responsible for anything that happened once they took control.
One of the primary arguments that Marriott gave for the acquisition of Starwood was the cost savings associated with merging the two companies. These savings included numerous layoffs, likely including network security positions within Starwood’s organization. The loss of these workers, who were the most knowledgeable regarding the details of Starwood’s network, may have negatively impacted their ability to identify and address the vulnerabilities in the Starwood network.
Management support for cybersecurity
The importance of knowledge and support for cybersecurity at the executive and board level cannot be overstated. The average board member has an incomplete or even inaccurate view of cybersecurity, and the security team needs at least one member that understands and supports them.
Currently, Marriott does not appear to have the necessary level of support and focus on cybersecurity. None of their thirteen board members has a strong cybersecurity or technology background, and the organization does not have a dedicated cyber-risk committee. As a result, Marriott needed to rely on third parties to manage all investigation and analysis of the breach. A more cyber-focused culture at Marriott may have been able to manage the breach in-house and detected and responded to it more rapidly, minimizing the damage.
Monitoring and incident response
One area in which Marriott did well was deploying monitoring solutions for systems holding sensitive data. The breach was originally discovered due to the fact that Accenture, the contractor managing the breached database, was running IBM Guardium, a database monitoring solution. This tool triggered an alert when an administrator account queried for the number of rows in a database table. Since this is not a query commonly used by automated tools, it indicated that an unauthorized human user was interacting with the database.
However, Marriott’s monitoring of the database was limited. While the breach was eventually discovered by Guardium, the attacker had previously managed to copy entire tables out for exfiltration. It is unlikely that this represents normal usage patterns for the database, so it could have been detected and prevented by a more robust data monitoring and protection solution.
On November 29, 2018, Marriott notified regulators and other authorities about their data breach. While reporting the breach is a good thing, the time that Marriott took before reporting the breach would be enough to fine them under the EU’s General Data Privacy Regulation (GDPR) and other regulations.
Under GDPR, organizations are required to report a breach of sensitive data within 72 hours of discovery. Even the most lenient interpretation (waiting until Marriott was certain that sensitive data was breached) would have required notification by November 22, a week earlier. Additionally, the form used to report the incident to the SEC, 8-K, is intended to be filed within 72 hours of an event (or discovery of a breach), not almost three months later.
In July 2019, the Information Commissioner’s Office (ICO), the UK agency responsible for GDPR compliance, announced a potential penalty of €99 million or $124 million. The penalty is for the failure to perform proper due diligence in acquiring Starwood. However, Marriott could also have been fined for failing to comply with reporting requirements or improper protection of sensitive data.
- Marriott CEO Reveals New Details About Mega Breach, Forbes
- Marriott hasn’t paid the price for its massive data breach, CNN Business
- Marriott Faces $124 Million Fine Over Starwood Data Breach, The Wall Street Journal
- The Marriott Breach Shows Just How Inadequate Cyber Risk Disclosures Are, Harvard Business Review
- Marriott CEO Tells Senators Passport Changes Being Considered After Data Breach, Skift