Marriott CEO: Source of attack still unknown, encryption and decentralization may be future solution

Marriott CEO Arne Sorenson testified to a U.S. Senate subcommittee Thursday, apologizing for the massive data breach that involved 383 million guest records in the Starwood hotels reservation system.

He also shared changes the company plans to make to ward off future attacks.

Appearing before the Senate Homeland Subcommittee Hearing on Data Breaches, Sorenson was asked if he believes China was responsible for the attack.

“The short answer is, we don’t know,” he says. “And I feel quite inadequate about even drawing inferences from the information we’ve obtained.”

Sorenson says Marriott has given the F.B.I. information about IP addresses and malware tools used in the Starwood system so its investigators can try to determine the cause.

“We’ve simply been focused on making sure the door is closed and communicating with our customers,” Sorenson says.

Thus far Sorenson says Marriott has “not found any data that was removed from the Starwood database on the internet or dark web” and has not received any confirmed claims of loss attributable to the breach.

He told the panel that Marriott is addressing to the risk of future cyberattacks with a “layered defense approach and continuous improvement.”

Looking ahead

Two key elements of the company’s strategy to prevent future attacks: encryption and decentralized storage of guest data, such as passport information.

“In the Starwood system it was done locally and then essentially centralized into the data system,” Sorenson says.

“There are pros and cons of allowing it to be entirely at property level. One of the pros is it’s a smaller target, if you will. One of the cons on the other hand is then if each hotel needs the same elaborate system of cyber defenses, can you make sure that you are delivering that?

"Those are issues we are working through right now. I think in all likelihood everything, passports, will be encrypted.

"Secondly, I think we’ll look very hard at not centralizing any of it but making sure that we’ve got appropriate tools at property level to protect against cyberattacks.”

Sorenson outlined the timeline of the breach investigation, which he says began on September 7, 2018, initiated by an alert from a cybersecurity tool.

But Sorenson says the investigation, involving Marriott IT staff, outside security experts and the FBI, did not determine until November 19 that the intruder had accessed files containing personal information of Starwood guests, dating back to 2014.

The company issued a public statement on the breach on November 30.

“We had lawyers and security experts and all sorts of other folks who were engaged in the conversation about timing, how quickly could we go,” Sorenson says.

“We also wanted to make sure we had set up call centers and websites so that the moment we released this information publicly, customers had a place to go.”

Marriott announced plans to buy Starwood in November 2015 and the acquisition closed in September 2016 for $13.6 billion.