The facts: Marriott discovered the event by identifying an encrypted database containing guest information. The database was apparently encrypted to evade detection by the data loss prevention (DLP) technology. Approximately 320M of the records included passport and other personally identifiable information. Credit card data were encrypted per the requirements of the Payment Card Industry data security standard, however, it's not outside the realm of possibility that someone is busily working on decrypting those records.
Marriott Miss #1
Miss 1 is poor detection and response. Technology designed to prevent security incidents is not perfect and will fail against a determined attacker. In the security industry, there’s something called, “dwell time.” It’s the time between the initial compromise and the actual detection and response. In this case, the dwell time was ridiculously long: up to four years. There was more than adequate time to detect the presence of the compromise through good monitoring combined with oversight from human investigators.
Clearly, the monitoring and/or humans failed to detect the signals of initial compromise, unauthorized network access, internal pivoting to identify the records to steal, unauthorized database access, and data exfiltration. That's a lot of failures, and once investigations are complete, my guess is that Marriott will get religion on the value of comprehensive monitoring, good investigation capabilities, and rapid response to limit the impact of security events like these.
Marriott Miss #2
Miss 2 is the failure to fix security holes during the acquisition of Starwood. It's likely that Marriott knew of the Starwood breach during the acquisition process, but it sounds like no additional steps were taken to comprehensively examine the network for signs of lingering hacker presence. Whether these two events are connected is, at this point, a bit of conjecture. But it's awfully suspicious, even though the Starwood incident involved fundamentally different tactics (compromised point of sale devices).
There are two lessons.
- Most importantly, monitor your network! Companies need preventive controls but that’s just not good enough anymore. Companies MUST be backed up by monitoring, investigation, confirmation, and rapid, effective response to limit the impact of security events. And, I’m not talking about now-and-then monitoring; I mean 24/7 monitoring. It’s why I started CI Security: so that we could staff a Security Operations Center around-the-clock and do managed detection and response (MDR) right.
- During an acquisition, it's important to evaluate the organization being acquired for security. Companies should look for the controls that are in place and the potential for compromised assets that are extant. CI Security has guidance on this process here. It specifically speaks to the health sector, but which is generally applicable to businesses buying businesses.
One Last Note
It’s not just Marriott. If you hear someone say today, “good thing I stayed at a different hotel,” you can tell them this: Marriott is not alone. Hotels have had problems with point of sale systems scraping transaction data. InterContinental Hotels Group (IHC) comes to mind. The IHC hack was identified through fraudulent transactions with stolen cardholder data. Hyatt, Kimpton, Trump, and Mandarin Oriental hotels have all been compromised and cardholder data stolen since 2015.
I send out cybersecurity news every day. If you’d like to get my daily emails, fill out the form on this page.