Marriott says it was hit by another data breach – TechCrunch
Hackers accessed data on 5.2 million guests.
Expert Comment Roundup:
“This is the second time in two years Marriott has disclosed a breach of consumer data, bringing into question improvements made in security following the last breach. While this breach is not as widespread as the previous incident, it is still worrisome, with names, phone numbers, emails and other sensitive information released. This second offense is apparently the result of two employees’ credentials improperly accessing guest information, which further amplifies the need for companies to be aware of malicious insiders and put better cybersecurity practices into place for credential abuse and permissions. Whether impacted by this breach or not, all consumers need to be wary of the personal information they share with companies and make sure it’s protected, including regularly updating passwords and implementing credit monitoring.” – Tyler Moffitt, senior threat research analyst at Webroot.
“Like the OPM, Anthem, Dulles and the 2018 Marriott breach, this breach is just another in a long string of attacks targeting US officials. Think about it, officials from the NSA, CIA, FBI, DoD stay at Marriott hotels, including possibly diplomats, business people or intelligence officials as they travel around the globe. The FBI’s investigation into the 2018 Marriott Breach concluded that the attackers were working on behalf of the Chinese Ministry of State Security–alarm bells should be going off.” – Casey Ellis, CTO and founder, Bugcrowd
“This is not the first time Marriott faced a breach of this magnitude… In 2018, Marriott disclosed a data breach affecting upwards of 500 million guests. Interestingly, the 2018 Marriott data breach — similar to this new breach — was also identified as a campaign executed by nation-state hackers and foreign actors. The ground truth of the matter: If you have data that hackers want, they will be persistent, execute long campaigns, eventually find a way in, and then exploit you. It is true, that if you have been hacked once, it’s likely going to happen again — especially if you have lots and lots of valuable data (such as a hotel chain’s guest list). Every company truly needs to adopt a more proactive approach to cyber-security and assess their security measures more often. The quarterly or annual cadence of threat and/or compromise assessments, many companies perform, is not enough.” –
John Norden, VP of Engineering and CSO at Infocyte
“As a Marriott customer myself, it is very disheartening that they apparently did not learn from their first missteps. Security is easily overlooked and often misplaced trust leads to failures such as this. Large organizations can often find it difficult to implement a one-size fits all authentication and security plan. From my experience, a one-size fits all approach never works and seems to leave the door open for hackers to break through. Instead, organizations should look to implement risk-based tools that adapt to the changes. Businesses this large, that are still having problems with their security need to bring in outside help and implement the appropriate technology such as multi-factor authentication, behavioral analysis, biometrics, and even data from third-party tools as soon as possible, to ensure that the right level of security is applied at the right time.” – Will LaSala, Director of Security Solutions, Security Evangelist, OneSpan
“The biggest threat Marriott guests might face as a result of this breach is targeted phishing. Guests should be on the lookout for targeted messages from scammers posing as Marriott or a related company. Don’t click on links or attachments in unsolicited emails. Check email addresses and don’t just trust display names. If you’re uncertain as to whether a message is legitimate or not, ask Marriott using contact information found through Google.” – Paul Bischoff, privacy advocate with Comparitech
“Consumers have grown used to the hospitality industry’s data incontinence, but leaked email addresses mean that the risk continues for consumers long after the initial attack is over. Credit monitoring is a cliché – does anyone care anymore? How about giving Bonvoy members some more points to make up for the years of phishing emails that will result? And consumers really do need to stop linking rewards programs.” – Colin Bastable, CEO of security awareness training company Lucy Security
“Account takeover (ATO) attacks are a major threat to any business. It is much simpler and lucrative to walk in through the front door with valid stolen credentials than to look for holes in an organization’s cybersecurity defenses. With the vast volume of stolen credentials out there, hackers launch credential stuffing attacks using automated bots. Eventually they find a username and password that works that will let them buy goods for resale, drain loyalty accounts of points or steal personal information. The data stolen from this breach will invariably make it to the dark web and further fuel this cycle of ATO attacks.” – Ameet Naik, security evangelist at PerimeterX
“The kinds of information disclosed in the latest Marriott breach might seem innocuous, but it is precisely this kind of intelligence that enables threat actors to better target attacks on consumers. Simply: the more I know about you, the better chance I have of fooling you. Compromised credentials remain one of the top vectors for this kind of compromise, and strong authentication before accessing sensitive information one of the best defenses.” – Gerrit Lansing, Field CTO, Stealthbits