Marriott breach leaves 500 million exposed with passport, card numbers stolen
Motivations of hackers are unclear, but proprietary Wi-Fi may have been a target.
Brian Vecci, Technical Evangelist at Varonis:
“Most of the time it takes months or years to discover a breach which is exactly what happened here. Threat actors are smart and getting smarter so it’s hard to catch them in the act, but not only did Marriott fail to protect customer records, they failed to detect the leakage of this data since 2014! This breach is a textbook example of attacker dwell time, and how once an attacker compromises an organization their goal is not typically to smash and grab, but to build persistence mechanisms and backdoors to stay in a network and continue to steal critical information year after year.
The reality is that even big companies lack the kind of visibility they need to detect every threat because they can’t find the signal in the security noise. This is a solvable problem but most companies haven’t gotten there yet. The larger issue is that one of the biggest companies in the world was hit but chose to wait nearly 3 months to notify its customers. How many meetings did they have in past three months deciding how to word the press release while their customers were at risk? Privacy protections like the GDPR mandate reporting a breach within days so companies can’t sit around waiting while individuals are at risk. Companies risk almost nothing while their customers pay the price.”
Michael Thelander, director of product marketing at Venafi:
“The admission that encryption keys may have been stolen is alarming, but unfortunately not uncommon. The dangers are very real: I’ve heard Red Team members say the first thing they do, on achieving access to a network, is locate the SSH-enabled servers and prod at the default locations for host and client keys.
“Without constant visibility into the location of the keys and certificates that protect machine identities, there’s no way of knowing what systems are vulnerable, where pivots have occurred, and where new attacks will be pointed.
“Session logging might tell where SSH keys were used while the attackers were in the network, but there’s a real possibility that keys could have been exfiltrated in parallel with the data. If that’s the case, we may not know it happened until newly-decrypted payment card data begins to drive new fraud schemes.”
Javvad Malik, security advocate at AlienVault
“This seems like a particularly big breach, not just because of the number of records taken, but also the details that were contained within. It appears as if detection capabilities were not adequate, taking several weeks to notice the breach and extraction of records. It is good that the credit card database was encrypted, but if, according to the company, the attackers were able to take the decryption key, then it was of no use. The digital equivalent of leaving the key for the front door under the mat.”
Franklyn Jones, CMO, Cequence:
“Unfortunately, we can also expect to see a long tail effect from this breach. As this data finds its way to the dark web, these stolen credentials will be acquired by other bad actors. They, in turn, will orchestrate high volume bot attacks to see if the stolen credentials can also provide access to web, mobile, and API application services of other organizations.”
Satya Gupta, CTO and Co-founder, Virsec:
“What’s most disturbing about this attack is the enormous dwell time inside Starwood’s systems. The attackers apparently had unauthorized access since 2014 – a massive window of opportunity to explore internal servers, escalate privileges, moves laterally to other systems, and plot a careful exfiltration strategy before being discovered. All organizations should assume that the next threat is already inside their networks and won’t be caught by conventional perimeter security. We need much more careful scrutiny of what critical applications are actually doing to spot signs of internal corruption. We must reduce dwell time from years to seconds.”
John Gunn, CMO, OneSpan:
The significance of the Marriott breach is not in the number of records that were compromised, that is relatively small. It’s impact on the victims is much greater than the numbers reveal. It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport. This may be an emerging trend with hacking organizations, to target large pools of passport data. Stolen passports sell for a magnitude more that stolen credit cards on the dark web.
Michael Magrath, Director, Global Regulations & Standards, OneSpan:
The vast stores of personally identifiable data on the Dark Web continues to grow at historic rates, and fraudsters have rich resources with which to steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information. For example, the personal data obtained in one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches, and the Marriott breach only makes their task that much easier and more likely to succeed. Having the databases in the same place makes things even easier for the bad guys.
Cyber attacks such as Marriott’s will continue and it is imperative that public and private sector organizations not only deploy the latest in authentication and risk based fraud detection technologies in their organizations, but also making sure all third party partners have equal cybersecurity measures in place.
Gary Roboff, Senior Advisor, the Santa Fe Group:
How could a breach like this continue for 4 years?
If encryption keys were compromised and payment data was in fact exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a “mass data dump exfiltration event” in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise.
While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence. In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly
Bimal Gandhi, Chief Executive Officer, Uniken:
“Events like this Marriott Starwood breach underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication, given the sheer proliferation of stolen and leaked PII now available on the Dark Web.
“Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well. Hotels, hospitality companies, banks and eCommerce entities are all moving to newer ways to enable customers authenticate themselves across channels, without requiring any PII.
“Customer-facing commerce and financial institutions seeking to thwart credential stuffing are increasingly seeking to migrate beyond PII authentication to more advanced methods that do not require the user to know, manufacture or receive and manually enter a verification factor, in order to eliminate the ability for bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network
“Invisible multifactor authentication solutions that rely on cryptographic key based authentication combined with device, environmental and behavioral technologies provide just such a solution. By their very nature, they are easy to use, issued and leveraged invisibly to the user, remove human error, and defy credential stuffing and other common attacks.”