On 30 November, Marriott International announced that the accounts of up to 500 million guests of former Starwood hotels had been hacked. The data breach, which started in 2014, over a year before Marriott acquired Starwood and became the world’s largest hotel operator, is the most severe and extensive in the industry’s history. Outside of hospitality, only Yahoo has had more private customer data compromised.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and chief executive officer, in a press release accompanying the announcement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Within Europe, Marriott is likely to be held liable under the EU’s General Data Protection Regulation (GDPR), and could face financial penalties of up to 4% of its annual global revenue, or close to $1 billion. A number of class action lawsuits have already been filed, and along with facing $200 million in US fines and litigation expenses, Marriott could end up spending as much as $1 per customer notifying victims and providing free data-monitoring services, according to Morgan Stanley. In the aftermath of the hack, US lawmakers have also called for a nationwide version of California’s GDPR-equivalent, the Consumer Privacy Act.
At the time of writing, Marriott has released scant information about the attack, which investigators believe is linked to the Chinese Ministry of State Security. Nevertheless, the company’s dedicated incident website indicates that for approximately 327 million of the 500 million customers whose data is stored in the Starwood guest reservation database, hackers gained access to some combination of their name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
Some of these guests’ payment card numbers and expiration dates were also copied and encrypted. Although Marriott uses the advanced encryption standard AES-128 to protect payment card numbers, it is possible that both elements required to decrypt the information were also taken.
For other guests who made reservations at former Starwood properties on or before 10 September 2018, the information was limited to names and possibly addresses.
Cybersecurity experts have expressed shock and opprobrium at the failings that made the breach possible. Mike Ianiri, director of telecoms company Equinox, is cutting in his assessment.
“Data breaches unfortunately do happen,” he admits, “but to give access to a hacker since 2014 is unacceptable for such a large corporation that holds huge amounts of data on their clients. It seems no one was taking the chain’s security seriously.”
Sam Curry, chief security officer at Cybereason, speaks in terms of death and penance.
“Saying you are sorry isn't falling on a sword or issuing a mea culpa,” he says. “It has to have meaning. And I don't care about the result but rather the action or inaction. It is less about bayoneting the wounded and a lot more about how Marriott makes sure this never happens again.”
Given Marriott’s response so far, Curry is unlikely to tone down his language soon. The hotel group has been notifying guests that they may have been affected by the breach with emails from the suspicious-looking third-party address starwoodhotels@email-marriott.com. Unhelpfully, the domain email-marriott. com does not load and has no certificates proving its legitimacy. The only way to tell that it can be trusted is by clicking on a note at the bottom of the dedicated incident site at answers.kroll.com, itself a confusing and largely unexplained domain.
Equally, Marriott failed to secure similar email addresses (email-mariott.com or email-marriot.com), opening concerned customers up to the risk of phishing. All of these issues could have been avoided if Marriott had used its own website to coordinate its response to the breach.
“There are plenty of ways hotels can beef-up their security and ensure their guests’ data is protected,” says Ianiri. “Failing to do so shows either incompetence, a lack of respect for guest privacy or a complete failure to understand the impacts of data breaches like these.” At present, the hospitality giant is showing little sign of improvement in any of these three areas.
In fact, back in 2016, James Rashleigh, a director of PricewaterhouseCooper’s cybersecurity business, told this magazine that, “The organisations that are better at this… have got the board in a room and have done a crisis episode in which they’ve said, ‘We have just been hacked and have lost our most sensitive customer data. What are we going to do about it?’”
Clearly, Marriott could have listened more closely.
Warning signs
A breach of this scale and duration is certainly shocking, but it’s hardly the first cybersecurity incident to affect the company.
Back in June 2017, independent cybersecurity experts identified that Marriott’s Computer Incident Response Team (CIRT) had been compromised by a piece of malware. Although the issue was quickly addressed, the hotel group could – and arguably should – have used the incident to trigger a thorough review of its security situation and identify the breach in the Starwood guest reservation database. As it is, the hotel group remained unaware of the issue until an internal security tool issued an alert about an attempt to access Starwood’s data.
Observers, including former Starwood technology vice-president Israel del Rio, have pointed out how unusual this is. It is unclear why an alert would be issued after four years of unauthorised access, unless the security tool was brand new. Furthermore, del Rio, writing on Phocuswire, argues that it is unlikely that the reservation database would include 500 million records, “given the practice to remove booking records a number of days after checkout”. His highest estimate for the number of items in that database is 200 million. Instead, he posits that it was Starwood’s data warehouse that was compromised.
Del Rio, who worked on the ‘Valhalla’ technology platform that others have blamed for the breach, may not be the most impartial commentator on its possible failings, but his points show just how many questions Marriott has yet to publicly answer.
Not that Starwood had the best track record in digital security either. In 2015, the operator announced that malware designed to steal credit and debit card data had been installed on point of sale terminals across 54 of its hotels in the US and Canada for up to seven months. Then, shortly after Marriott announced this four-year mega-breach, cybersecurity expert Alex Holden sent Forbes “screenshots that appeared to show cybercriminal access to Starwood corporate portals”, and detailed issues with the company’s use of a weak password for its cloud computing service.
Holden also told the US publication that, in 2014, Starwood’s website had a bug that could have been exploited to gain access to its databases. He alleges that the vulnerability was even publicised among hackers on the dark web.
In response to Holden’s claims, a Marriott spokesperson told Forbes that such scenarios are dealt with by most retail, restaurant and hospitality companies “on an ongoing basis”, and that they are often beyond companies’ control as they happen outside of their networks. According to this representative, thorough investigations have not shown any connections between Holden’s allegations and the latest incident.
That may well be true, but questions are bound to be asked after such a spectacular security failing, particularly when it persisted through a $13-billion merger that should, in theory, have required an extensive cyber-risk assessment.
Wake-up calls
In practice, however, the difficulty of merging and homogenising Starwood and Marriott’s data platforms and storage may actually have worked to obscure the issue. Given the value of Starwood’s customer records, particularly those in its esteemed SPG loyalty scheme, it’s possible that Marriott was too concerned with accessing the data itself to ensure it was properly protected.
That’s not an uncommon issue. As Andy Barratt, managing director of cybersecurity company Coalfire’s UK arm, says, “Any operation that doesn’t immediately provide a service for a guest is often pushed to the bottom of the pile, but data security is a fundamental expectation and needs to be viewed as part of the service offered to customers.”
Even in the aftermath of this titanic hack, digital security may continue to be a hard sell. Risk mitigation is far less likely to get a service industry excited than attracting and delighting customers. For hotels in particular, whose complex and distributed IT systems call for sophisticated and expensive multilevel security measures, it’s hard to focus the requisite time, money, and attention onto a difficult and continually evolving task.
Even so, the apparent links between this hack and the Chinese Government make the value of the data hotels hold clear for all to see. The information that was illegally accessed by hackers included passport numbers, and could be useful for espionage and counterintelligence purposes.
“It’s big-data hoovering,” Dmitri Alperovitch, chief technology officer at information security company CrowdStrike, told the New York Times. “This data is all going back to a data lake that can be used for counterintelligence, recruiting new assets, anticorruption campaigns, or future targeting of individuals or organisations.
“One thing is very clear to me, and it is that they are not going to stop this. This is what any nation-state intelligence agency would do. No nation-state is going to handcuff themselves and say, ‘You can’t do this’, because they all engage in similar detection.” Alperovitch speaks from experience, as he first identified the threat of Chinese hacking as vice-president of threat research at McAfee in 2011. Worryingly for Marriott, its failure to account for the value of its data could inspire the US Government to pick a new preferred hospitality provider.
Competitive advantage
Even the most integrated and up-to-date hotel operators are comprised of an array of local and global networks operating across a variety of terminals and devices. The security perimeter is vast, and traditional defences like firewalls and anti-virus software simply aren’t sufficient. If a reaction speed of four years shows anything, it’s that companies need to rethink their security procedures.
For security experts like Ianiri, the hack “shows the importance of penetration testing on a regular basis. If this was being done – as it should be – then the breach would have been detected years ago”.
A penetration test is a simulated cyberattack carried out to identify as many security weaknesses as possible. It’s a vital tool for ensuring a company’s digital defences are resilient to a range of unauthorised approaches, but it should not to be mistaken for a solution.
In fact, advanced companies now mix penetration tests with “red teaming”, a more intensive type of attack simulation that focuses specifically on exploiting the weakness that will best enable the red team to achieve a defined goal. Red teams can model social engineering attacks (by, for instance, posing as employees or contractors) and zero-day exploits (weaknesses to which even the software provider is oblivious) to keep security teams on their toes.
There is a real competitive advantage to having the strongest possible defences. Hacks are becoming more commonplace, and proving you know how to defend against and deal with them is going to be a vital differentiator for companies.
“At a time when a lot of the disruptors in the hotel sector are cloud-based,” points out Barratt, “a greater focus on digital infrastructure is not only a security necessity but also key to achieving commercial success in a quickly changing industry.”
– Mike Ianiri, Equinox
Hard questions
Nick Wyatt, head of tourism at GlobalData, has specific advice for Marriott in the aftermath of the hack.
“Marriott must show that it is employing post-breach consultants to help take all actions possible to protect critical digital assets,” he urges. “Such companies will also look to identify the characteristics of the hackers in a bid to pre-empt further attacks. If Marriott can demonstrate that it is using such services, its claims of reducing future data security risks will have far more credibility.
‘‘Marriott has a chance to repair the reputational damage inflicted by shaping the future for the better, and being seen as the catalyst for improved industrystandard systems would be a great fillip. It must seize this opportunity to turn a great negative into a positive.”
But even the most sophisticated and multifaceted implementation of penetration testing, red teams, perimeter defences, alert technologies and data leak prevention techniques (such as including and monitoring factitious database records that are never meant to be accessed) is no guarantee that a system won’t be breached. As such, companies need to think carefully about why they are holding on to so much customer data, how they are doing so, and what they can do to secure it.
The whole industry needs to ask itself the hard questions that Marriott didn’t, because loyalty is meaningless without trust. Data might be stored in ones and zeroes, but its impacts are far from abstract; there are few bigger betrayals than letting it be compromised.