What Can Organizations Learn from the Marriott Data Breach

The recent data breach disclosure by Marriott is an eye-opener to organizations, not only because of the extent of the breach – with up to half a billion guests affected, but also because of the length of time that the breach remained undetected – lasting nearly 4 years.

Marriott, currently the world’s largest hotel chain, has over 6,700 properties in 129 countries and territories, including Canada. The company has attained the stature of being the world’s largest hotel chain after it completed its acquisition of Starwood Hotels & Resorts Worldwide in September 2016.

Marriot, in a statement, said that from 2014 up to September 10, 2018, an “unauthorized party” accessed the Starwood guest reservation network affecting up to 500 million guests who made a reservation at Starwood properties. Out of the 500 million guests affected, the hotel chain said that data of 327 million of these guests was accessed without authority, including name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Financial data of an unspecified number of guests was also accessed by the unauthorized party, including payment card numbers and payment card expiration dates. While the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), the hotel chain said it won’t discount the possibility that the unauthorized party decrypted the payment card numbers.

Marriott didn’t specify what month or exact date in 2014 that the data breach started. It can be recalled that prior to the completion of Marriott’s acquisition of Starwood, in November 2015, Starwooddisclosed its own data breach, affecting nearly 100 Starwood hotels in North America.

Sergio Rivera, President of Starwood Americas, in a statement, said that point of sale systems at certain Starwood hotels were infected with a malicious software (malware), enabling “unauthorized parties” to access payment card data of some of the hotel customers.

Lessons from Marriott Data Breach

Here are some cyber security lessons from the recent Marriott data breach:

Implement Network Segmentation 

Marriott said that its own Marriott-branded hotels aren’t affected by the data breach at the Starwood guest reservation network as Marriott-branded hotels’ use a different network that wasn’t breached.

Network segmentation is the practice of dividing a computer network into subnetworks, with each network having a different purpose or usage. Implementing network segmentation in your organization ensures that in case one of the networks is infected with a malware, the other subnetworks won’t be infected.

By implementing network segmentation, the data breach at the Starwood guest reservation network was contained to this network alone, preventing the spread of the intrusion to Marriott’s other properties, including Marriott-branded hotels.

Encrypt Important Data

While encryption alone isn’t enough to protect important data, encryption adds a security layer in data protection. Encryption also means that an unauthorized party has to undertake an extra step and extra time to get the decryption key to unlock the encrypted files.

In the case of the Marriott data breach, the only data that was encrypted was limited to payment card numbers. The hotel chain though doesn’t discount that the unauthorized party had gotten hold of the decryption key or keys to unlock the encrypted payment card numbers.

Encryption doesn’t have to be limited to payment card numbers. In the case of the Marriott data breach, important personally identifiable information, including passport numbers, wasn’t encrypted. What happened in the Marriott data breach was that instead of the company doing the encryption to add an additional layer of protection, the unauthorized party did the data encryption in order to avoid detection by any data-loss prevention tools.

Data decryption isn’t an easy thing to do. According to Marriott, while it discovered the data breach on September 8, 2018, it took the company until November 19, 2018 to decrypt the files encrypted by the unauthorized party.

Always Assume that an Intrusion Has Occurred

To date, the cause of the Marriott data breach is still unspecified. The hotel chain, however, identifies the culprit of the data breach as “unauthorized party”, a phrase that could mean a malicious insider or a malicious outsider.

Network intrusion carried out by a malicious outsider could happen in many ways. This could happen via phishing attacks using malicious emails containing malicious links and malicious attachments or via unknown security vulnerabilities exploited by a malicious outsider.

Proactive organizations have adopted the assumption that their networks are vulnerable to intrusion. Many organizations today engage the services of “penetration testers”, also known as ethical hackers. These ethical hackers search for and exploit security vulnerabilities in web-based applications, networks and systems and report back to the organization for the organization to fix the security loopholes.

Monitoring any insider activities within the network is also important. Intrusion by a malicious insider should be assumed all the time. An insider has all the tools needed to abuse one’s access to the trove of data that your organization hold. Your organization must have an automated tool that flags unusual activities, such as abnormal working hours, abnormal access to voluminous data and most importantly unusual volume of data transfer.

Contact ustoday if you need assistance in protecting and detecting intrusions in your organization’s networks, resulting from the actions of a malicious insider or malicious outsider.