REPORT FROM THE U.S.—Marriott International President and CEO Arne Sorenson testified before a U.S. Senate subcommittee in early March, providing some insight into the data breach of the Starwood Hotels & Resorts Worldwide legacy reservation system.
In his testimony before the Senate Committee on Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations in March, Sorenson laid out the timeline of the discovery of the breach and how his company responded.
Hotel News Now reached out to IT and data privacy experts to explore what the hotel industry can take away from Sorenson’s testimony about the breach. None of the experts currently work for Marriott or assisted in investigating the breach. Their comments are based solely on Sorenson’s testimony, which is the greatest level of detail about the data breach the company has shared publicly.
Remaining questions
When news of the breach first became public, everyone was working with incomplete information, said Scott Lyon, partner at Michelman & Robinson and IT professional. The big red flags were that the hacker gained access back in 2014 and Marriott bought Starwood in 2016, he said.
“The question was: Why wasn’t this caught when they were doing their due diligence?” he said. “That’s still a valid question. If a company is looking to do an acquisition, cyber-security audits need to be part of the audit.”
Jeff Flaherty, senior director of global communications and public affairs at Marriott, said that as part of the company’s integration efforts, Marriott conducted an assessment of the legacy Starwood information technology systems prior to and after the close of the transaction. Marriott would not comment on the specifics, he said.
Part of the problem could be that two years after the acquisition, the Starwood and Marriott systems weren’t merged yet, Lyon said. The security team was managing two parallel systems, which expands the target and draws resources thin, he said. Consolidating them makes them easier to protect, he said.
Many times this comes down to the will of management, he said. If management makes it a priority, consolidation can get done quickly. What happens too often is consolidation becomes a priority when it’s an emergency, and that’s not the time when anyone wants to deal with it, he said.
According to Sorenson’s testimony, Marriott evaluated how to best integrate the two systems but was legally and practically limited by the fact that Starwood was technically a competitor until the acquisition was complete. Once complete, Marriott chose to maintain its reservation system as the central system and retire Starwood’s system. It was a two-year process to integrate all of Starwood’s 1,270 hotels into Marriott’s system, but Marriott accelerated the pace in November 2018 to retire Starwood’s system. By 18 December 2018, the company had stopped using Starwood’s legacy reservation system.
Marriott discovered the breach through instrumentation designed to find breaches, said John Bell, founder and CEO of Ajontech. Before starting his own tech consulting company, he worked for Marriott as a principal architect/systems consultant from 2002 to 2006 and then enterprise architect from 2006 to early 2014.
The breach had existed for four years, two of which were after Marriott bought it, so the question remains whether Marriott had just deployed the instrumentation or had only just discovered it, he said. There’s also a concern whether the instrumentation found the breach and was sounding the alarm, but no one listened to it, he said.
“That’s what happened with Target,” he said, referring to a 2013 data breach of the retailer.
Marriott can confirm the tool issued an alert that was triggered by a query to a table in the Starwood guest reservation database, Flaherty said.
“Marriott quickly implemented containment measures and engaged leading security experts to determine what happened,” he said.
It appears credit card numbers and passport identifications were not consistently encrypted, which sounds like a bug, Bell said. That information in a database should be encrypted, he said, adding it must have been a problem for some time.
In his testimony, Sorenson stated the incident involved 18.5 million encrypted passport numbers and approximately 5.25 million unencrypted passport numbers. It also involved approximately 9.1 million encrypted payment card numbers and “several thousand” unencrypted payment card numbers.
“To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility,” Sorenson said in his testimony.
The actual user of the credentials who executed the query that was flagged was not on the system at the time the query was executed, meaning the credentials were compromised, Bell said. The system would benefit from a two-factor authorization, he said. Marriott systems have used this for at least the last seven years, so it’s possible Starwood didn’t, he said.
The password also was reverse-engineered, which means the rules for password complexity for a server were not properly configured or enforced, he said. A password that is 12 characters or longer can’t be cracked in a reasonable amount of time, he said. There are also rules about changing passwords every 30 days, but he suspects this password was in place for much longer than that, he said.
“This was done over four years,” Bell said. “If it were changed, it couldn’t have been easily used for execution.”
Marriott uses, and Starwood used, layered defenses to protect company information and assets, Flaherty said in response to a question about multifactor authentication. It would not comment on its specific technology or security measures.
The company’s password requirements might vary by program and change from time to time, he said. Passwords for a Marriott Bonvoy account currently require eight to 20 characters, a lower-case letter, an upper-case letter and a number or special character, he said.
Database security
In his testimony, Sorenson also discussed concerns about Starwood having a centralized database while Marriott has property-specific databases, Lyon said. The question is which approach is better, and there are pros and cons to each, he said. Within a centralized database, if it’s compromised, the attacker can get everything. If the database is distributed, then it’s segmented, meaning the attacker can gain some access but not to everything, he said.
“You really need a merged approach,” he said.
Think of good data security like a bank vault, Lyon said. The owner of the bank wants to put all of its valuable assets inside a vault because of all the protections around the vault, he said. However, if someone gets through the vault walls, everything is there for the taking. That’s why, inside the vault, there also should be safe deposit boxes, each with their own locks.
“If the attacker can get into the vault, they still don’t have access to the boxes,” he said. “They still need keys. That’s where encryption solutions could be valuable here.”
Whatever the size a hotel company, administrative access to servers and systems should require a multifactor authorization, Bell said. This includes user ID, a password and another factor that delivers a six-digit form for authentication. These aren’t costly, he said. Though not ideal, it can even be done through SMS, he said.
Many smaller companies don’t have IT operations fully aware of all the steps they should take, he said. Companies should provide the proper training to ensure their employees have this awareness, or hire an outside organization to manage IT work, he said.
One problem with outsourcing IT responsibilities is even large, reputable third-party companies may promise to do something but then not do it, he said.
In the Starwood case, a third-party company was helping, but the breach went undetected for four years, Bell said. “That says the companies responsible for it didn’t do their job. There’s no way this should have gone on for four years,” he said.
Transparency in security
Ted Harrington, executive partner at Independent Security Evaluators, said he was surprised by the amount of detail Marriott has shared publicly about what happened with the breach.
“I would commend them for sharing that,” he said, adding that doing so helps others in the industry to prevent a similar incident.
Sorenson’s testimony, however, didn’t shed any new light on how the breach happened, which is the most important part, Harrington said.
“How did they get in?” he asked. “Was it because the defense was not in-depth? Using bad passwords? Privilege issues? That’s the thing that really matters in what we can learn from the breach.”
Harrington said he’d be surprised if that information ever comes to light. There is logic behind this approach, but it is somewhat flawed, he said. In IT work, there are secure design principals, which are universal truths upon which systems resilient to attack are built and which serve as a guide for prevention, he said. Then there is a related body known as anti-principles appear to be part of secure design, but don’t actually deliver the core security that people think they do.
“One of those is security through obscurity,” he said. “No one knows how it works, thus because of those secrets, it is protected. Secrets are compromised and violated all the time.”
While some secrecy can act as an additional layer of security, there is no harm to an organization sharing its approach to security and why it invests in certain things in certain ways, he said.
Why the number shrunk
When Marriott made its first public statement about the data breach, it estimated approximately 500 million guest records were involved. Upon further investigation, the company later stated the number of compromised records was approximately 383 million.
There’s a short amount of time to make a breach notification under the European Union’s General Data Protection Regulation, which often leads to companies making their first statements with incomplete information, Lyon said. While companies don’t want to over-notify, they also don’t want to under-notify, which can have serious consequences, he said.
One of the reasons the number of affected customers decreased is Marriott had a lot of duplicate records, he said.
Sorenson testified that the company adjusted its initial number of affected records down after further investigative efforts and certain deduplication efforts.
“To be clear, this does not mean that information concerning 383 million unique guests was involved; in many instances, there appear to be multiple records for the same guest, but because of the nature of the data, further de-duplication cannot easily be performed,” he said. “We cannot confidently determine whether records with similar names, or even identical names with different addresses, represent one person or multiple people, but we have concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved.”
This demonstrates the need for the hotel industry to focus on the quality of the data collected, Lyon said. If companies want the information they collect to be actionable, it needs to be valid information, he said. Culling records, removing duplicates and making sure customers have access to their information are important security steps and fall in various degrees under the GDPR and California’s data privacy law, he said.
Having good information on customers can add marketing value, but data has a life cycle, he added. Companies need to determine when it’s time to retire that information. If the information is no longer current, a decision needs to be made as to whether it’s still valuable, he said.
“Old records should be purged if there’s no present business value to them,” he said. “Doing that helps reduce potential risk.”
Response to consumers
Marriott created a website for consumers that shared information about the breach, Harrington said. That’s fairly common with breach events, but the problem is visitors to the site usually have no way of knowing if the site is legitimate, he said. Marriott’s site has a URL of info.starwoodhotels.com, which is good because it includes Starwood Hotels, he said.
Other companies that have taken this approach have used different domains instead of attaching to their main websites, he said. Data thieves take advantage of this by setting up duplicate attack sites that ask consumers to enter their names and Social Security numbers to check if they were affected by a data breach, and those who do unknowingly share their personal information with thieves, he said.
Marriott offered monitoring services to people affected by the breach, but the usefulness of these services depends on how much people can trust them, Bell said. After the breach of Equifax in 2017, no one is going to trust that service, he said.
“Giving people a monitoring service is just to make them feel good,” he said. “It’s not actually doing anything.”