Roots of Marriott Breach Run Deep
October 17, 2019
By Lena Licata and Patrick Merli
On November 30, 2018, Marriott International announced that it had experienced a major data breach in its guest reservation database for its Starwood brand. The breach impacted 500 million individuals—compromising accounts, credit card information and passport numbers. An initial breach happened in 2014, thought to be perpetrated by Chinese intelligence services who gained access to the system via a phishing campaign. They installed a Remote Access Trojan (RAT) along with MimiKatz (an exploitation framework) to gain control of a privileged administration account. This all happened two years before the merger of Marriott and Starwood. However, it was not detected until September 8, 2018, when a newly installed security tool flagged suspicious activity, which then led to an investigation. How can something like this go unnoticed for so long?
A Confluence of Events
For starters, Starwood reportedly had a poor security culture prior to the merger. Some of those familiar with the situation said that the company did not meet the qualification standards for being PCI-DSS compliant. This compliance is a set of industry security standards designed to ensure that companies that accept, process, store or transmit credit card information maintain a secure environment. Furthermore, security employees found the system difficult to secure, as evidenced by a separate 2015 attack that took eight months to detect. After the merger in 2016, Marriott was not ready to deploy its proprietary reservation system into all of their new locations and, as such, left Starwood’s system in place. At the same time, Marriott laid off most of Starwood’s corporate staff, including those in IT and InfoSec, who were the most knowledgeable about the native system.
While Marriott mitigated a large part of the initial losses from the breach via cyber insurance, the indirect/direct loses of revenue, lawsuits and fines are expected to be significant. The U.K. levied a £99 million (approximately $123 million) fine against Marriott for the violation of privacy rights under GDPR, citing a failure to perform proper due diligence. U.S. lawsuits, also citing due diligence failures, are still pending.
Performing a cyber-risk assessment right before or immediately after a merger is a must in today’s world. No organization can afford to assume that the system they’re acquiring hasn’t been breached or that its network is breach-proof. Risk assessments, penetration testing, vulnerability assessments and compliance standards are all necessary to discover issues within an organization’s IT infrastructure. These techniques can help prevent breaches and, if one does occur, make detection and response as effective as possible. The longer a breach goes undetected, the more damaging it can be, and the more liability exposure to which an organization can be exposed.
Listen to our podcast on The Marriott Cyber Attack – How You Can Protect Your Data