The Marriott Starwood data breach has potentially exposed details of up to 500 million customers, which would place it well above the Experian breach of 2017 (143 million records) and the Anthem breach of 2015 (78.7 million records). Hackers are said to have copied and encrypted information after gaining access to data. That information included personal information such as dates of birth, social security numbers, credit card numbers and other sensitive information.
There will be lots of apologies written by the public relations team about how important customer data is to Marriott, but in the end, the customers have been let down yet again by another large company who did not cover the basics of cyber security. Based on what we know now, here are what I would call failures on Marriott’s part to properly quantify and assess risks for this event.
1. Unauthorized Access Since 2014
Four years of potential access. Marriott admitted that someone was able to move around their network for four years without detection. To meet compliance requirements, companies have to pass a security assessment every three years through a third-party vendor. If these tests were being done properly, the vulnerabilities would have been uncovered or there would have been some indication of compromise. The fact that these issues went unnoticed for so long indicates either the tests weren’t being done or the scope of those tests was limited. Either way its clear effectual assessments weren’t conducted.
2. Incomplete Database Vetting and Testing Prior to a Merger
Marriott International and Starwood merged in 2016, two years after the initial unauthorized access was suspected to have begun, so it appears this was a risk acquired by Marriott. Any acquisition should have a cyber security assessment done, complete with the risk and vulnerability assessment, penetration test, indicators of compromise assessment, and overall security controls assessment. The Yahoo breach and subsequent reduction in the sale price to Verizon was the first big wake-up call to any merger and acquisition activity, and the Marriott Starwood merger will likely be the second. The Yahoo breach reduced its sale price by $375 million and cost the company an additional $16 million in related forensics and legal services.
It should be noted that in January 2018, Marriott started urging Starwood customers to combine accounts from their loyalty programs. In August 2018, Marriott Rewards, The Ritz-Carlton Rewards, and SPG (Starwood’s parent company) combined all user accounts into a single account. The breach was first detected on September 8 by an internal security tool alert according to the information provided by Marriott. It appears the process of migrating and linking accounts put the legacy systems under new monitoring capabilities that may have led to the discovery.
3. Unmonitored Cloud Access
The Marriott database was hosted on a ServiceNow cloud computing portal. While the reports are talking about a lack of two-factor authentication and an easily-guessed password, no one is talking about monitoring where traffic was going and coming from at the ServiceNow boundary. Cloud computing is a good thing, but it does present some different security concerns that companies must address. One of those is monitoring who is logging into your network from where, and what or how much data they are moving. Cloud monitoring could have identified suspicious log-in locations and identified large data transfers to stop this attack sooner. Cloud monitoring is an inexpensive control to add and should be part of any company’s cloud migration strategy.
4. Improper Storage of Encryption Keys
The initial reports say that the data was encrypted using the Advanced Encryption Standard 128, or AES-128, which is in line with the Payment Card Industry Data Security Standard (PCI-DSS), and the Federal Information Processing Standard 197 (FIPS-197). But that almost doesn’t matter because the encryption key wasn’t stored or protected correctly. Having the security keys stored in an accessible area is the same as leaving the keys in your car – eventually someone will notice and steal your car. This issue is more common than you might think and happens across all types of industries with passwords, certificates, and encryption keys. It’s something that Delta Risk specifically looks for when we do penetration tests for our clients to make sure their data is protected from all vulnerabilities, including both system and human errors.
More details on this data breach are sure to come out in the coming weeks and months, and the consequences will likely be more painful for Starwood because of the international nature of the incident. We will undoubtedly see the European Union’s General Data Protection Regulation (GDPR) invoked for the company’s European customers and other countries will become involved to protect the interests of their citizens. A lot will be learned from this on the international business side, too. But I would argue that there will be no new cyber security lessons—only a repeat of the same issues. Striking a balance between cyber security and business operations is key. Until cyber security is made more of a priority these issues will continue to plague companies who struggle to make it part of their daily operations.
The fact that someone was able to move around Marriott’s network for four years without being detected is a pretty clear indicator that successful security assessments were not being conducted. But this hack could have been prevented in many other ways, too. If the companies had properly vetted their databases before the merger took place, this could have been caught much earlier. A lack of cloud security and monitoring and leaving the encryption keys – essentially the keys to the castle - in the lock, didn’t help either.