Hotel chain Marriott last week admitted its guest reservation system had been hacked, potentially exposing the personal information of around 500 million guests.
On 30 November, Marriott said in a statement that as far back as 2014, hackers gained unauthorised access to its Starwood reservation database, a group of hotels that includes St Regis, Westin, Sheraton and W Hotels. It added it only discovered the breach last week.
With the help of "leading security experts", the group discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it.
Marriott said around 327 million customers have been compromised, with exposure of their name, mailing address, phone number, e-mail address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For others, the information includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard (AES-128) for which two components are needed for decryption.
Marriott has not been able to rule out the possibility that both were taken. The company has notified regulatory authorities, reported the incident to law enforcement and says it continues to support their investigation.
Large-scale attack
"With the data of approximately half a billion customers breached, this is the largest exposure of traveller data ever," says Rusty Carter, VP of product management at Arxan Technologies, which specialises in application attack prevention.
He says this attack, and the ones against British Airways and Cathay Pacific earlier this year, demonstrate the travel and hospitality industries are an attractive target.
"The treasure trove of information, including passport information and date of birth, can be used to build sophisticated, comprehensive dossiers on these victims. Wide-spread impersonation and fraud is much more likely."
Carter advises customers to check in with their financial institutions, and take advantage of additional security measures wherever their financial institutions offer them.
"Given the extent of data stolen, they should also closely watch for fraud in things like their tax returns, which leverage some of this same personal information."
Trusting applications
The fact that the attackers had access for so long shows many enterprise backend systems and databases are vulnerable because they must trust the application accessing them, explains Carter.
Moreover, the massive size of this breach emphasises the need for regulations to protect consumers. Key to minimising the impact and likelihood of success is developing strategies that include strong detection and reporting of the health and status of applications, both inside and outside the company's network.
Amit Ashbel, security evangelist for data protection and compliance provider Cognigo, adds the breach began nearly five years ago and supposedly increased in size over the last year, yet it took more than a month to confirm that finding.
"Organisations must to be able to constantly monitor all their data, whether it is structured or unstructured. The key to protecting consumer data is not by placing a firewall or data leakage prevention, but being able to make sure you continuously have the ability to monitor data, classify it accordingly, and take actions to prevent access or exfiltration of any valuable or sensitive information," says Ashbel.
No coherent strategy
"This looks like yet another tremendous data breach related to insecure Web applications," comments Ilia Kolochenko, CEO and founder of Web security company High-Tech Bridge.
"Many large entities still do not have an up-to-date inventory of their external applications, let alone conduct continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. It's obvious that this approach will fail one day."
According to Kolochenko, regulations such as GDPR do not necessarily help. "In the past two years, many companies were over-concerned about GDPR compliance on paper, ignoring practical security requirements due to limited budgets and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cyber security and privacy."
The legal ramifications for Marriott and its subsidiaries could be tremendous, from harsh financial penalties from authorities in various affected countries, to individual and class-action lawsuits from the victims, concludes Kolochenko.
Share