Marriott CEO Arne Sorenson testified to a U.S. Senate
subcommittee Thursday, apologizing for the massive data breach that involved
383 million guest records in the Starwood hotels reservation system.
He also shared changes the company plans to make to ward off future attacks.
Appearing before the Senate Homeland Subcommittee Hearing on
Data Breaches, Sorenson was asked if he believes China was responsible for the
attack.
“The short answer is, we don’t know,” he says. “And I feel quite inadequate about even drawing inferences
from the information we’ve obtained.”
Sorenson says Marriott has given the F.B.I. information about
IP addresses and malware tools used in the Starwood system so its investigators
can try to determine the cause.
Subscribe to our newsletter below
“We’ve simply been focused on making sure the door is closed
and communicating with our customers,” Sorenson says.
Thus far Sorenson says Marriott has “not found any data that
was removed from the Starwood database on the internet or dark web” and has not
received any confirmed claims of loss attributable to the breach.
He told the panel that Marriott is addressing to the risk of future cyberattacks with a “layered defense approach and continuous improvement.”
Looking ahead
Two key elements of the company’s strategy to prevent future
attacks: encryption and decentralized storage of guest data, such as passport
information.
“In the Starwood system it was done locally and then
essentially centralized into the data system,” Sorenson says.
“There are pros and cons of allowing it to be entirely at
property level. One of the pros is it’s a smaller target, if you will. One of
the cons on the other hand is then if each hotel needs the same elaborate
system of cyber defenses, can you make sure that you are delivering that?
"Those
are issues we are working through right now. I think in all likelihood everything,
passports, will be encrypted.
"Secondly, I think we’ll look very hard at not
centralizing any of it but making sure that we’ve got appropriate tools at
property level to protect against cyberattacks.”
Sorenson outlined the timeline of the breach investigation, which
he says began on September 7, 2018, initiated by an alert from a cybersecurity
tool.
But Sorenson says the investigation, involving Marriott IT staff, outside
security experts and the FBI, did not determine until November 19 that the
intruder had accessed files containing personal information of Starwood guests,
dating back to 2014.
The company issued a public statement on the breach on
November 30.
“We had lawyers and security experts and all sorts of other folks
who were engaged in the conversation about timing, how quickly could we go,”
Sorenson says.
“We also wanted to make sure we had set up call centers and websites
so that the moment we released this information publicly, customers had a place
to go.”
Marriott announced plans to buy Starwood in November 2015
and the acquisition closed in September 2016 for $13.6 billion.