Dealing With the Aftermath of the 500 Million-Guest Marriott Breach
“I find it frustrating that so many breaches are still occurring ..."
The Bethesda, Md.-based chain, which operates more than 6,700 properties globally, said in a Nov. 30 statement it is investigating a data security incident involving the Starwood database, which they discovered on September 8, 2018 but dates back to 2014.
For approximately 327 million guests the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the data also included payment card numbers and expiration dates. Although the payment card numbers were encrypted using the Advanced Encryption Standard, Marriott has not been able to rule out the possibility that both components needed to decrypt the card numbers were taken.
Marriott said it will provide free of charge online account monitoring software, WebWatcher, to guests for one year.
Hotels have consistently been hacking targets and a concern to the credit union and payments industries as a result. With every new data breach revelation making headlines comes new calls for rules about privacy protection in the United States.
Carrie R. Hunt, NAFCU EVP of government affairs and general counsel, addressed concerns following the Marriott breach in a letter to the House Financial Services Committee: “As NAFCU testified before the Financial Institutions and Consumer Credit Subcommittee last November, there is a need for a national data security standard for entities that collect and store consumers’ personal and financial information that are not already subject to the same stringent requirements as depository institutions. While it may not help the millions of Americans that have been victimized by this breach, the time for Congress to act is now to prevent future breaches and harm to consumers.”
In August 2016, NAFCU President and CEO Dan Berger issued a statement following a string of hotel breaches including HEI Hotels & Resorts, Hyatt Hotels and Starwood Hotels & Resorts: “These hotel data breaches, many of which are repeat offenses, as well as the latest data breach to Oracle’s point-of-sale systems, affirm the urgency with which Congress needs to pass strong national data security standards for retailers.”
States have been proactive regarding data privacy. In November 2017, Hilton reached a $700,000 settlement agreement with New York (which already opened an investigation into the latest Starwood breach) and Vermont over two separate data breaches discovered in 2015 that exposed more than 360,000 payment card numbers. However, a federal data privacy law in the U.S. appears closer to fruition with some legislators indicating a U.S. privacy law could be drafted early next year in the form of a bipartisan bill.
There are some other takeaways from Marriott’s breach announcement.
Matt Rizzetta, branding expert and CEO of public relations/social media agency North 6th Agency, said: “Customer loyalty crises tend to be exacerbated in industries such as travel and hospitality because the connection between the consumer and the brand is so intimate.” He added Marriott took the right approach in showing swift, actionable steps to address the problem and demonstrated an empathy with the customer that many brands in travel and hospitality who have been affected by data breaches have lacked.
According to Colin Bastable, CEO of Lucy Security, “Kudos to Marriott for getting the news out as soon as they learned about the breach. It will be very painful for Marriott’s staff and shareholders, especially as this breach apparently started four years ago. Ninety-six percent of cyberattacks start with a phishing email and continue to badly impact consumers and the C suite long after the attack. Marriott’s fast reporting shows some other recent cyberattack victims up in a bad light.”
However, Chris Stoneff, vice president of security solutions at Bomgar, looked at the incident differently. “I find it frustrating that so many breaches are still occurring, surrounded by the same central issue of privileged access, that companies are not being more proactive about taking simple measures. Home Depot, Target and now Marriott.” Stoneff added “it is considerably cheaper to implement proper privileged access and session controls than to be the victim of a such a breach.”
Andrew Useckas, chief technology officer of Threat X, believed that the hotel chain made compliance-driven security investments rather than putting in place a comprehensive security strategy that mitigates risk. “We see it time and time again, that with the constantly evolving threat landscape this compliance driven mentality satisfies ‘requirements’ and the lawyers but It becomes a reporting function and sets an organization up for serious vulnerabilities and breaches.”
After a data breach has been discovered, investigators often find adversaries have been occupying their network for days, if not months—and sometimes, including in Marriott’s case, years, Stephen Moore, chief security strategist, Exabeam, said. “Frequently, an intrusion is detected by a notable change, such as a rapid increase in network traffic, a suspicious system login location or time, or the unusual export of sensitive information. But not all attacks have an obvious pattern.” Moore maintained often adversaries gain access to a network and then conduct a low and slow attack.
Rebecca Herold Rebecca Herold, president of SIMBUS and CEO of The Privacy Professor, recommended credit unions should consider, sending their members a message about this huge breach and advise they replace their credit cards with new ones; and if a credit union has EU members, then they need to address the GDPR non-compliance issues related to securing their member data as well. “They need to have safeguards, and access to member records based on individuals’ right for such, in place.”