On September 8th, 2018, Marriott received an alert from an internal security tool in what would be the start of one of the worst data breaches of 2018. After disclosing the breach, which affected approximately 383 million victims, shares fell 5.6% and Marriott is now facing a class-action lawsuit. Although it is too soon to know the exact cost that Marriott will face in recovering from the breach, Bloomberg analysts estimate the total cost will be $1 billion. In this blog, we will explore some lessons learned from the Marriott data breach and how you can learn from some of the mistakes that they made along the way.
First, What Happened?
Before we can pull out some lessons learned from the Marriott data breach, we need to quickly review what happened. While it is still early and Marriott is still holding a lot of their cards close to the vest, here is what we know. Hackers accessed the reservation system of Starwood Hotels (Sheraton, Regis, Westin) sometime in 2014. Marriott acquired Starwood back in 2016 but did not notice the breach at the time. On September 8th of 2018, they finally noticed and investigated. Here is Marriott’s statement on the matter:
“On September 8, 2018, Marriott received information that an alert from an internal security tool was related to an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”
Lessons Learned from the Marriott Data Breach
Lesson One: Mergers and Acquisitions Require Exceptional Focus on Cybersecurity
So the first, and probably most alarming, part of all this is that the initial compromise happened back in 2014. Even with logging that exceeds best-practice, there is no way there is enough information for Marriott to get to the root cause of how the attacker gained initial access, meaning there is no way they can make sure it doesn’t happen again. Of equal concern, Marriott acquired Starwood in 2016 and didn’t detect this. Any time an organization undergoes a merger or acquisition, there is naturally a due diligence process to review every aspect of the company being acquired. Far too often, this does not include a cybersecurity portion or, if it does, it is woefully inadequate.
Any time you are considering a merger or acquisition ensure that cybersecurity is a priority and you are doing your due diligence to ensure you know what you are getting. A common theme in information security is that you are only as strong as your weakest link. Therefore, when you are connecting your network to a newly acquired company or taking the responsibility for their security, it is vital to do a thorough review of their current security posture. At a minimum, this should include a hybrid of auditing, penetration testing, and configuration reviews.
Lesson Two: Keep the Encryption Keys Segregated From the Encrypted Data
Some of the data that was stolen, and perhaps the most important from a cost-perspective (although passports are equally as bad), was credit card information. The good news for Marriott is that this information was encrypted using AES-128. Great, now we can be sure that the attacker, even if he had access to the database, wasn’t able to read those credit card numbers in cleartext. But not so fast! The encryption key used to encrypt and decrypt those credit cards was stored in the same database. That means it is likely the attacker was able to decrypt and read those credit card numbers. Because of that, Marriott provided credit card monitoring to everyone affected (think millions of dollars).
The lesson learned here is to keep the key segregated from the encrypted data. Consider your environment: if an attacker gained access to your payment system database, would they be able to read the credit card details? Another thing to consider, which could greatly help you in terms of Payment Card Industry (PCI) compliance, is to not store credit card information at all and instead use tokenization to remember repeat customers. That is a little to technical for this blog, but take a moment and consider if your database was accessed by an attacker, what is the impact and what can you do to limit that impact.
Lesson Three: Detection and Response is Just as Important as Prevention
A final lesson learned from the Marriott data breach is that detection and response are really important. Far too often we see companies focus too much on one aspect of security and neglect the full picture. There is no silver bullet in security. No matter how much time and how many resources you put in place to shore up your Internet perimeter, all it takes is one user clicking a link and an attacker is past it all. Because of that, I always tell customers that it is not a question of if you will be breached, it is a matter of when.
If you internalize the fact that no matter how much you spend on preventing a breach it will still likely happen at some point, you will likely take the logical next step, which is to increase your detection capabilities. This includes things like a security information and event management (SIEM) device that correlates logs from various sources and a data-loss prevention (DLP) system that monitors for sensitive information leaving the network. This also includes taking necessary steps that are part of good preventative security hygiene as well, such as multi-factor authentication, requiring regular password changes, changing service account passwords, and performing firewall reviews to make sure all outbound traffic is known and permissible.
Certainly in this short blog we could not cover all of the lessons learned from the Marriott data breach. Even if we wanted to, we don’t have all the information yet, and most likely we never will. However, we did cover three of the lessons learned from the Marriott data breach that are most applicable to improving your own security program. First, we looked at mergers and acquisitions and how cybersecurity needs to be a key component of the due diligence process. We also looked at why we need to keep our encryption keys segregated from the data they protect. Finally, we looked at the layers of security and why it is important to focus on detection and response, rather than just prevention. As always, we would love to hear from you, so reach out or hit us up on Twitter and let us know what you think.