Hotel chain Marriott announced on Friday that the personal information of approximately 500 million customers had been potentially exposed due to a breach of its guest reservation system.
In a statement, Marriott said they were initially warned about a potential intrusion in September after an internal security tool alerted them to an access attempt on the U.S. Starwood guest reservation database. A subsequent investigation discovered that cyber criminals had, in fact, had access to the Starwood network since 2014.
Compromised data for approximately 327 million guests included names, phone numbers, email addresses, passport numbers and dates of birth. The payment card numbers and expiration dates for some guests were also exposed.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s President and CEO, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott initially acquired Starwood Hotels and Resorts for $13.7 billion in November 2015. The merger was finalized the following September after gaining the approval of American regulators.
Gary Roboff, Senior Adviser for security consulting firm Santa Fe Group, says the fact that the breach went undetected for as long as it did underscores the need for constant and systematic cybersecurity diligence.
“If encryption keys were compromised and payment data was, in fact, exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a ‘mass data dump exfiltration event’ in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise,” Roboff says. “While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence.”
According to Ryan Wilk, VP of Customer Success for online fraud detection firm NuData Security, a Mastercard company, this breach should remind organizations that their online systems are never safe from hackers and further reinforces the need for having robust post-breach processes in place.
“This plan includes the implementation of a stronger verification framework so they can still correctly authenticate their good users despite potentially stolen credentials," Wilk adds. "This sort of data exposure is why so many organizations – from the hospitality sector through to e-commerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioral analytics that identify customers by their online behavior thus mitigating post-breach damage as hackers are not able to impersonate individual behavior.”
Bimal Gandhi, CEO of online identity verification firm Uniken, says the breach also shows the folly of continuing to use personally identifiable information (PII) to authenticate transactions. “Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well,” Gandhi says. “Hotels, hospitality companies, banks and e-commerce entities are all moving to newer ways to enable customers authenticate themselves across channels, without requiring any PII.”
Brand Reputation/Business Impact
Vivek Lakshman, VP of Innovation for ThumbSignIn, a provider of biometric authentication products, says that given the number of high-profile breaches in the hospitality sector, hotels must start taking data security more seriously. Lakshman adds that Marriott, in particular, will take a hit to its business due to this breach. “This will deeply impact consumer trust in Marriott's business – not just because of the size of the breach, but also the nature of the data which includes various attributes of personally identifiable information, and in some cases payment card numbers,” Lakshman says.
Marty Puranik, CEO of cloud-hosting solutions firm Atlantic.Net, says that while Marriott will likely weather the storm of bad publicity brought on by this breach, it will no doubt leave a mark on their reputation moving forward. “While a hotel’s data alone may not be considered a high-value target, the data contained provides pieces to further potentially harass or intimidate Marriott's own customers in getting defrauded,” he says.
“This puts another spotlight on the importance of security for companies, as well as individuals who choose their share their data with said companies,” Puranik adds. “Marriott is a high-quality brand that will get through this, but a brand promise is broken when a prestige brand like this allows its upscale customers data to be taken.”
According to Tim Steinkopf, President of Centrify Corp., a provider of identity and access management (IAM) solutions, Marriott will likely continue to feel the impacts of this breach to its business well into the future. “Marriott’s stock is plunging, falling more than five percent in early trading – this is directly in line with a Ponemon study that found this to be the historic average on day one (of a data breach disclosure),” Steinkopf says.
“As we saw with Yahoo, the long-term impact will likely be greater, and Marriott will continue to experience aftershocks following this breach, as this breach impacts millions of consumers who trust Marriott with their most personal information,” Steinkopf adds. “Based on its severity and the sheer numbers involved, a breach like this will displace consumer trust, and potentially wipe out additional value quickly. Data breaches are a very real business risk with bottom line concerns.”
Hospitality Sector a Prime Target
With Marriott and other hotel chains being victimized by data breaches in recent years, Wilk says the travel and hospitality industry remains a prime target for cyber criminals. “While we don’t yet know exactly how the Starwood systems were compromised, we do know that bad actors look to obtain valuable actionable data. Because of this, the travel and hospitality industry are ideal as they collect data from many affluent and business travelers that can be quickly monetized,” he says. “Another possible outcome of these breaches that may cause even more worry especially when a compromise happens over a number of years, is the potential for a bad actor to understand when a traveler is away from home which could lead to real-world theft.”
Mark Bower, CRO at Egress Software, also expressed concern about how cyber criminals may weaponize data stolen from Marriott to carry attacks on other businesses. “This should be a warning signal to any business that may have had an employee stay at one of the properties,” Bower says. “We expect the attackers to monetize the stolen PII, but also use it as fuel for future attacks on any organization that had employees stay at one of the properties. The detailed information stolen from Marriott is typically used for advanced and sophisticated phishing attacks, business email compromise (BEC) attacks, and other well-orchestrated schemes that target employees and C-level executives alike.”
Potential GDPR Implications
Tim Erlin, VP of Product Management and Strategy at cybersecurity software developer Tripwire, says there is a high likelihood that information on residents of the European Union was affected by this breach, which means there will undoubtedly be implications for Marriott as it relates to the EU’s General Data Protection Regulation.
“Right now, we’re at the front-end of the breach response process, but we should expect that there’s much more to learn about this incident,” he says. “It is not unusual for the scope of a breach to expand after the initial disclosure. It is extremely unusual to have discovered the full extent before public announcement is made.”
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].