To recap one of the major events in 2018—that 500 million customer records from the Starwood Hotels and Resorts guest reservation database had been compromised—shocked and dismayed industry leaders, lawmakers and consumers alike. Not only was this breach one of the largest in history, but the personal information accessed was also unusually broad in scope, including customers’ gender, birth dates, email and postal addresses, and passport and telephone numbers, along with payment card information. Particularly noteworthy—and troubling—is the unusually long dwell time involved: the attackers reportedly had access to the Starwood database for four years before the breach was discovered.
Starwood Hotels and Resorts is a subsidiary of Marriott International, the world’s largest hotel chain, with nearly 1.3 million rooms in 6,700 properties worldwide and over $22 billion in annual revenue. As an established brand and industry giant, Marriott might be expected to maintain higher information security standards than the industry norm, and to have more resources to invest in advanced cybersecurity technologies. But this seems not to have been the case.
The long-term financial implications of the incident are hard to predict. Marriott’s stock has already fallen approximately 6.8% since the breach was announced. A class-action lawsuit was initiated in New York in an attempt to recover investors’ losses. And civil penalties and fines are likely to cost the company between $200 and $450 million, depending in part on the size of the fee assessed for failing to comply with Europe’s General Data Protection Regulation (GDPR). Direct costs for notifying customers and supplying them with free data or credit monitoring services are estimated to fall in the range of $500 million.
Even more likely to cause long-term damage, though difficult to quantify, is the hit that Marriott’s brand reputation has already taken. With a front-page article in the Wall Street Journal suggesting negligence by reminding readers that “the company missed a significant chance to halt the breach years earlier” and an expert commentator at Forbes questioning if Marriott was “putting customers at risk because it assumed the cost of a breach would be less than the cost of better security” among the numerous mentions in major media outlets that the incident has received, it’s fair to say that in popular opinion, Marriott’s perceived to be at fault.
Though Marriott has created a website offering information about the incident and the company’s response, few details about the actual tools, processes and procedures that were in place at the time of the attack have been made public. Nonetheless, the facts that we do have—including Starwood’s breach history—can lead us toward some tentative conclusions about what may have made this breach possible, and what other hospitality leaders can learn from the incident.
#1: Mergers and acquisitions (M&A) come with exceptionally great cybersecurity risks, and these need to be addressed proactively.
Marriott completed its acquisition of Starwood in the fall of 2016. With the $13 billion purchase, the company took control of Sheraton, Westin, W and St. Regis hotel properties, but it also took on a significant technical challenge—merging disparate reservations systems, loyalty programs and their underlying databases. From the outset, the integration of Starwood’s legacy systems with the existing Marriott infrastructure proceeded more slowly than was expected, and was riddled with technical difficulties.
Starwood’s reservation system and databases were already particularly vulnerable to attack because they’d been cobbled together from multiple payment and property-management systems already in use in the various hotel brands that had been acquired by Starwood. Integrating this system with the Marriott Infrastructure further increased the challenges—and level of risk—involved.
#2: Systems that have already been breached are more likely to be breached again.
Shortly after its acquisition by Marriott, in November of 2015, Starwood announced that it had suffered a relatively small breach of its point-of-sale systems in restaurants, gift shops and other service areas in more than 50 of its North American hotels. We don’t know if or exactly how that earlier incident is connected to the more recently-discovered, much larger breach.
But we do know that the more recently-discovered attackers already had access to the Starwood databases at the time of the company’s acquisition by Marriott. And we know that the POS compromise began in 2014 as well. We can be sure that the two security events were—at the very least—concurrent.
As security experts have noted, this would not be the first time that an intrusion that initially appeared to have been limited to POS compromise was later found to have been part of a much larger-scale attack. And the fact that the earlier incident took place continues to raise questions about the efficacy and thoroughness of Marriott’s investigation and incident response procedures.
#3: It’s absolutely vital that encryption keys be segregated from encrypted data.
The intruders in the Starwood database encrypted the information they’d accessed, most likely to evade the detection of its removal by a data loss prevention (DLP) tool in use within the network. Thus, determining exactly which records were involved isn’t straightforward.
The payment card data involved was encrypted using the robust Advanced Encryption Standard (AES-128) algorithm, which requires two separate key components to decrypt. Marriott, however, has admitted that they cannot “rule out the possibility that both were taken,” suggesting that the encryption keys may have been stored on the same network segment that was compromised. Naturally, this sort of mistake nullifies all the benefits of using encryption.
#4: The only route to information security maturity is to adopt an “assume breach” mentality.
Because of the exceptionally long dwell time of these attackers on the Starwood network, some analysts believe that they were nation-state level threat actors with extensive resources at their disposal and high levels of sophistication. It’s almost impossible for any organization, even one with enterprise-grade information security management systems in place, to prevent these kinds of attackers from gaining a foothold in their systems.
The companies most successful at mitigating these risks are those whose focus has shifted from breach prevention to improving detection and response. Although standard best practices such as applying available patches promptly and running anti-malware programs on endpoint devices are helpful, they’re not enough to guarantee the security of today’s complex systems in the current threat landscape.
#5: Rapid detection and response requires 24/7 network monitoring, both by “intelligent” tools, and by highly-trained humans.
The Marriott breach should serve as a wakeup call, reminding hospitality industry leaders that today’s systems need multilayered defenses. In particular, log data from all devices in the ecosystem, all network flows, all Windows Active Directories, and all databases needs to be monitored constantly. This monitoring can best be accomplished by systems relying on machine learning to distinguish the truly meaningful alerts from the false positives, so that security engineers’ attention—a finite resource—can be focused on the right place at the right time.
To learn more about how the Secureli platform offers small and medium-sized businesses an enterprise-level security infrastructure at an affordable price, contact Netswitch today.