The Marriott Cyber Attack – How You Can Protect Your Data
January 10, 2019
In this podcast, Deborah Friedland, head of EisnerAmper’s Hospitality Advisory Services, and Lena Licata, a director specializing in Process, Risk, and Technology Solutions, discuss the massive data breach at Marriott International. Our experts examine what set the stage for a cyber attack, the type of data taken and by whom, what remedial measures the hotel chain is taking, how your company can proactively prevent such a hack, and more.
DP: Tell us how might a data breach at a hotel chain might be different than, say, a retailer or a bank or some other business sector.
DF:Marriott strengths lie in its loyalty program. Its loyalty program impacts millions of people. To give you an idea about how important the loyalty program is, I believe most people are familiar with the loyalty program, whereas you stay at a hotel and you are given points and after a certain number of points you can pay for that very expensive vacation with your family. Guest are known to travel miles just to stay at a Marriott branded hotel to get those points. So the loyalty program is extremely important to Marriott. A hospitality program is all about experience and all about trust. That's how they achieved the loyalty from so many millions of people. So when you're talking about a breach, where all these people have provided their very personal information, and now all of a sudden it's out there and as a company you have not protected that information, that’s significant, that's personal. So I think that it impacts a hotel chain much more than a widget company, let's say, where people are really your assets.
DP: Deb, staying with you. Tell us about Marriott's cleanup efforts here: customer communications, credit monitoring so forth.
DF:Marriott released a press release on November 30 communicating the size of the breach and the impact. What's been said in the release is that Marriott is setting up a call center where guests can call in and get information about the breach. They're providing email notifications to all guests whose data has been breached and they're providing a one year web watcher subscription. It sounds like they're going to be covering for a fraud consultation services and reimbursing guests whose data has been stolen and have suffered consequences. That's what's been communicated. Marriott has not said that they will pay to replace passports of the individuals whose passport numbers have been stolen, and Lena can chime in as to why this is such a big issue. They're not providing people with the reimbursement to replace these passports and that could be billions of dollars in terms of cost to the company. I think the concern is that obviously investor sentiment is down, but I think that the concern is it's about a 10 year length of time for which adults have to renew their passports and 10 years is a long time to go without knowing if your data was breached and how it might be being used.
DP: Lena, let's get you involved here. From what you've heard, how were the bad actors able to penetrate Marriott and what did or didn't set the stage for this?
Lena Licata: It’s interesting that how they got the information has not been released. There's been a couple of ex-Marriott employees who’ve come out and said how Marriott's IT is structured, this is what we're thinking, this could have occurred. It's looking like it occurred in the data warehouse, which is a data aggregator from different systems such as a reservation system or the or the loyalty program, the guest rewards systems. The interesting thing is that it occurred with the Starwood brand, which is a much smaller brand of the greater Marriott brand. However, when you look at what data Marriott has begun to migrate, it is from that data warehouse. It's interesting, too, that they can say that someone's been in since 2014 and they also said that they finally caught it because of an alert of an internal security tool. And it makes me believe people are starting to ask the question why now? Why did it alert now? It could be that Marriott just installed this alert monitoring tool. We are seeing that as a move in the industry where companies are beginning to do this proactive monitoring. It's definitely a great place to be. That could be why. The good thing is that Marriott did encrypt this data so you can say that they stole encrypted data. The bad thing is that Marriott has said that they could have potentially stolen the encryption key as well, so if they stole the encrypted data, it's gonna take them a long time to decrypt it or they're going to have to look for the specific encrypted hashes on the dark web to see if it matches another hash that's already been decrypted. But if they have the the decryption key then all bets are off. It'll be a lot more easier for them to do so. So I think that we're going to hear a little bit more about exactly how they penetrated. We now know who it was. It came out in the news today that it was the Chinese that did hack in. In today's day and age you hear a lot about spear phishing, which is a phishing email that specifically targeted the controller and the CEO of a company. If you want to make sure, ask the controller to wire money on a day when the CEO is out of town and you have access to Marriott's data warehouse and you can see that he has booked a reservation at a certain property in a certain country, then you can tailor that spear phishing email to say, hey, so and so controller, I'm in Asia this week and won't be back until X date. Please make sure you wire the money. I don't have time and I'm not in the office and I don't have access. So you can't confirm with me your likelihood because those data points might may all be correct. Then your fraudulent activity will go through.
DP: I also read in The Times article this morning that you reference, it appears that Marriott is the top provider to U.S. government employees in the military. So they say that had something to do with it as well.
LL: It makes sense that Marriott, as a top provider, when you look at the span of hotels within Marriott's reach, I would say, and this again it's affected Starwood, which is a little bit more of a higher brand. You've got W Westin, Loft, Sheraton, you're going to get executives staying. When you look at Marriott as a brand, you've got the entire spectrum from your lower-end suites, hotels, your mid-range, regular Marriott, Starwood side of the St Regis, so you've got every kind of person and job category that's going to stay at Marriott. So, yes, you're going to affect some pretty high- level important people
DP: What kind of data were they aiming for? And where does that data go once they get it? What do they do with it?
LL: The interesting thing is, because it was the data warehouse, it's an aggregate of a number of different systems. So you're going to have a lot of different information. Name, mailing address, phone number, email address, passport number, Starwood guest information, date of birth, gender, reservation information, arrival, departure communication, preferences, what kind of pillows you like? It’s also credit card information and it could be sold on the black market or the dark web. One of the things that I think you're going to find is human nature. People, if you need to remember a password are you going to use the same password? So what is valuable also about some of the password information that they could have stolen is that your Marriott password is probably your social media passwords. It could be your bank password, it could be a number of different things. So it's not just the data pieces on themselves, it's also the aggregate of what they have from other sources that could also be damaging.
DP: So if I stayed at a Marriott property over the last several months, what would you advise I do?
LL: Number one, make sure that the password that you're using for Marriott and Starwood is not a password for other sites. I would recommend that you keep an eye on your credit. Look for anomalies in either your bank accounts. I believe the press release did say that if you were directly affected as part of this breach, that we're going to be reaching out to pockets of people directly for credit monitoring. And when I did some research on that, it looked like people have not been notified other than the general press release that we all received, myself being someone who also stays at Starwood and Marriott properties. I think it's to be a diligent monitor and where you can keep information unique do so.
DP: From the corporate side, what are some things that a company can do? And really I'm looking at any company, whether they're the size of a Marriott or they're a small family business, what can they do? Some simple things to protect themselves from cyber fraud.
LL: When people aren't doing things about cybersecurity and they asked me where to start. I generally say, get yourself a cyber-risk assessment, which is going to look wide and shallow at the controls, and it's going to highlight major red flag areas for you to remediate. I also recommend highly that you get a vulnerability assessment done, so both of the vulnerability assessment as well as the penetration tests look both internally and externally at the configurations of your systems and make sure that you don't have holes. There are very basic control failures that are generally what leads to these breaches, so it is either fishing, someone clicks on something or someone provides credentials thinking that it's something legitimate and it isn't, and that's how people are getting in. Or they have a configuration that isn't set properly and there's a hole and someone can get in and then they move laterally within the organization and that's from a smaller company perspective. The other thing from a smaller company perspective is look at access within your company. Look at all the different points of where your data resides. Who has access to it and keep that in an absolute minimum of only people that need access to something should have it. I don't care if you're the CEO, you don't need access to everything from a larger company perspective or even a medium-sized company. The proactive monitoring, the solution that actually identified this breach is a wonderful solution. We as a firm contract with a company that does this work called Cloud Access. If anything that could produce a log, we can ingest it. We can set alerts and rules on these logs to let us know when there are suspicious logons after hours—suspicious activity by certain id's, firewalls, networking logs, etc. That is a little bit more expensive than your mom and pop's, but anybody even midmarket to approaching Marriott should be moving in that proactive direction. And I think that one other way that is really helpful to companies, and you're seeing a lot of this today as a highlight in the next step in protection, is we all think about how do we protect our house as a company and how do we protect our four walls in today's culture. We're outsourcing everything. We're using cloud-based systems. So vendor risk management has become a massive hot topic. Do you know how many vendors you have? Do you know what data you're sending them to? Do you know the classification and the risk of that data that you're sending them? And then what controls that you have at those vendors? Have you looked at their controls, have you analyzed and looked at their security and looked sort of outside the four walls of your house that actually encompasses it, but you don't think of it as your house because you've outsourced it? That's become a massive hot topic. That is incredibly important. I would encourage everyone from mom and pop all the way up to a Marriott size company to start thinking about that. Putting programs and processes in place to identify high-risk vendors and look at their security controls because you can be as secure as you want and if you hand it off to Joe Schmo and he doesn't care about your data, you that's your big hole.
DP:Good stuff. So as a business advisor, you know all too well that a company's reputation can hinge on how it responds to adversity such as this. In your opinion, Lena, do you think Marriott is handling this well?
LL: When I think about it from the perspective of Marriott as a company and how they're handling it, they clearly have hired companies to help them with this breach. They clearly had a plan in place and they're clearly dealing with this breach and we realized that because of the tight lip nature and how they're keeping this close to the vest. That being said, does it mean that they're necessarily doing the right things for me as a consumer? Not necessarily. I think that we'll find out and based on their response in what they do for me as a consumer to prove to me that they're going to make this right and they're going to protect my data in the future and the communications they send out about that, time will tell. You know, these loyalty programs are very important, especially when you travel for business and you travel a lot. You're pretty loyal because you know that, I work hard, but I get these points and when I have time off, I don't pay for my vacations. I take my family, it's wonderful. And as long as I always stay at Marriott, I got Marriott points and I'm going to have a free vacation. So if they don't treat this right and this could be an excellent opportunity for other brands such as Hilton to highlight their security controls and win over some executives that then will be loyal to them. That could actually really hurt them in the long run.
DP: Deborah, let's wrap up with you. Being a business advisor less on the IT side of things and more on the business advisory/financial side, are there any recommendations that you would make to Marriott regarding this incident?
DF: I think what's important to look at, too, is how investors treated the stock and the message that the investors are sending to the company. And I think that's a perfect indication that the public does not feel like Marriott is doing enough, right? Because we look at value, how a company is valued based on their stock price for a public company. And I think if you look at their stock price since they've announced the first day after the hack they dropped about 6%, which was about $1.8 billion of lost equity market capitalization. And then since then the stock has tumbled even further. So I think that's a clear indication that the public does not feel that they're doing enough and that there's still tremendous risk out there. In fact, I think Senator Chuck Schumer put it perfectly concise when he said the company should reimburse any individual who decides that they would feel more secure to get a new passport. So I think that's going to be the step that Marriott is going to have to take and say, hey, you know, you've trusted us for so many years, you've been loyal to us. We're going to do the right thing by you. We're going to reimburse you for a new passport and we're going to make sure that this doesn't happen again. I think also another ramification that we might see is that the company and many people know this, that Marriott's an asset light structure, so they typically do not own most of their hotels. It's private owners who own it public, private, but not the Marriott company. They don't own the properties. And I think that what we'll probably see is that the owners will have to bear more risk for these cybersecurity systems on the property. I think that's where we're going to see. The bottom line is, again, getting back to the stock price and the tremendous decline in the value of the company. It's a lesson to consumer companies that, when your customers are your most important asset, you've got to do a better job protecting their data. You've got to make the investment upfront in cybersecurity costs, because a situation like Marriott's going to cost you billions.
DP: What about long-term impact, let say five to 10 years? Do you think you think they're able to bounce back and get back to business as usual?
DF: I think right now there's so many unknowns about the legal costs and the near-term technology costs to resolve this issue. We're unclear about the insurance coverage and any deductibles. On the longer term, we're unsure about the reputational costs and trust. There’s such a huge unknown about how much was taken and what the data is being used for. I think that Lena made a point in saying that many times the data that stolen in situations like this shows up on the dark web and the individual that stole the information profits, but we're not seeing that information. We didn't see the information show up on the dark web, so we’er not really clear about, what the ramifications are, what it's been used for. A lot of unknowns right now. And again, a lot of the analysts who cover the stock are sitting on the sidelines and urging to just hold for right now, not go in and nibble.
DP: Thank you so much for this valuable information. Definitely a word to the wise. Thank you for listening to the EisnerAmper podcast series. Visit EisnerAmper.com for more information on this and a host of other topics and join us for our next EisnerAmper podcast when we get down to business.