Marriott data breach - a mess that is only starting to unravel

Businesses and consumers continue to discuss privacy regulations and legislation on a regular basis, especially in the travel industry.

And data breaches, data vulnerabilities and compromised private information similar to the Marriott incident are released in the news almost daily.

But the Marriott data breach case in particular, with half a billion guest records under scrutiny, is a huge attack.

Some of the questions those affected are now asking include the obvious: "How could this issue go unaddressed for so long, and what information could have been taken?”

Here are some answers based on what we know so far...

How could a security issue this big go unaddressed and undetected for so long?

From what has been disclosed, the breach started in 2014, prior to the Marriott acquisition of SPG.

In theory this should have been identified as part of a cyber risk assessment conducted during the M&A activities. 

It’s likely that the different corporate entities had different levels of security maturity and this issue was obscured as the company worked to merge systems.

Whatever detective controls were in place, like security alerts, may not have been applied to all assets.

There was a purported breach of the Marriott incident response team in 2017 that should have triggered a thorough review which may have identified this.

Another weekend, another serious finding:
Someone from CIRT of @Marriott got infected by NG actor.
Unbelievable.@0x7fff9@DanielGallagherpic.twitter.com/nSW2se6Yuw

— MalwareHunterTeam (@malwrhunterteam) July 1, 2017

In the end, attackers can be very advanced and the commotion around M&A homogenization activities created enough fog for this incident to last for four years.

What information security or penetration testing tactics, capabilities or strategies could have helped Marriott avoid this breach?

At the end of the day, a criminal needs three things to breach something:

1. A way in
2. Access to the data cookie jar
3. A way to get the data back in attacker control to sell etc.

Vulnerability scanning and penetration testing can help detect “ways in” so that they can fix the issue before a breach occurs. 

Implementing cyber resiliency controls, which assume a compromise has occurred and are designed to limit the scope of the breach, would have made it harder to get to the data cookie jar and/or impossible to get there without detection.  

Implementing various alerting technologies would generate alerts as the data was attempted to be exfiltrated back to the attackers control.

The public statements by Marriott indicate that some data was encrypted by the attacker, which is a common tactic to mask the data as it’s being sent back out the door.

Preventing the attacker from being able to execute the encryption routine or other system hardening steps could be taken to make it harder to mask the data.

Using data leak prevention technologies to detect and block the transmission of sensitive data types would have helped.

Creating factitious records in the customer database that should never be accessed for a legitimate reason and then configuring auditing on those records would also help.

The attackers aren’t selectively choosing records to export in most instances, they’re getting them all.

Having an alert mechanism of some sort for mass data transfers or sensitive record access would further alleviate the risk. 

Impact on general corporate compliance initiatives? 

Compliance is a focus of sectoral standards for the most part. “Healthcare does this, credit cards do that” kind of logic.

I think companies need to go back to their drawing boards and define their non-regulatory needs, such as keeping customer loyalty or preparation for forthcoming cyber and privacy laws that aren’t enforced yet.

These should be integrated into the overall compliance initiatives being performed.

Brand loyalty today is very important, and we’ve seen a few recent loyalty program breaches.

A breach is a great way to discourage continued usage of the brand loyalty programs.  

This breach seemsvery relevant consideringseveral fast food restaurants seem to apps now.

It’s a new way to engage with the customer, but there’s a fine line between customer interest and lost customers interest in the event of a breach. 

What should companies take away from the Marriott breach in terms of data storage, data security and network visibility? 

If you don’t need it, don’t keep it. If you don’t have the information to lose, your risk is eliminated.

Encryption is not just for credit card numbers. All PII is important. Consider expanding existing controls, such as those mandated by PCI for credit cards, to other non-payment related systems in the overall environment.

Implement a robust vulnerability management program. It’s unknown if the attackers compromised an external website to get in or sent something as simple a phishing email, but it’s likely that after getting in they needed to do a series of exploits.

Detecting potential weaknesses, validating those weaknesses and fixing those weaknesses will make it much harder for an attacker to break in or move around once they’re inside your systems.

Could Marriott run afoul of GDPR? And what will that look like?

It’s unknown if EU natural persons data was compromised. But based on the size of the breach it seems likely that some EU natural person data was also compromised.

Marriott is likely working with their EU DPA representative to facilitate transparency and involvement by the supervisory authorities there.

Another potential issue around GDPR is that the record set was so large.

It’s unknown if Marriott had a lawful basis to collect or maintain the various data elements that were disclosed to have been breached.