BreachExchange mailing list archives
Marriott data breach shows cyber security risks of mergers
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 4 Dec 2018 08:41:09 -0600
https://www.enterprisetimes.co.uk/2018/12/03/marriott-data-breach-shows-cyber-security-risks-of-mergers/ Marriott International has disclosed one of the largest data breaches on record. More than 500 million customers of its Starwood division were exposed to hackers for more than four years. This means that the hackers were already inside the Starwood system prior to the agreement by Marriot to buy SPG. As with the Verizon acquisition of Yahoo, it shows the need for a full cyber security audit as part of any merger agreement. In its formal statement, Arne Sorenson, Marriott’s President and Chief Executive Officer said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward. “Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.” What do we know so far? On 30th November, Marriott issued a press release saying that it had discovered a data breach of the Starwood guest reservation system. The breach contained customer information for those who stayed at a Starwood property between 2014 and September 10, 2018. Marriott claims that the first it knew of the problem was a security alert on September 18. It started an investigation that took until November 19 to determine that a breach had been caused. The investigation uncovered an encrypted file on the Starwood systems. Marriott staff, or their security contractor, decrypted that file. It was found to contain customer data at which point the company started to notify regulators. So far, the investigation has identified the details of 327 million guests. The details in the file, and presumed in the hands of hackers, include: - Name - Mailing address - Phone number - Email address - Passport number - Starwood Preferred Guest (“SPG”) account information - Date of birth - Gender - Arrival and departure information - Reservation date - Communication preferences The company also admitted that the information also includes payment card numbers and payment card expiration dates. While it claims the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128) it also admits that the keys to decrypt those payment cards may also have been stolen. If so, this makes the breach significantly worse as it shows the hackers had complete access to all company information. Why was this not detected earlier? That is a question that everyone wants the answer to. The attackers had been inside the Starwood system for at least a year before Marriott and Starwood announced the acquisition in November 2015. The deal took 10 months to complete and cost Marriott $13 billion. However, while the formal paperwork was complete, the IT systems integration has been an ongoing challenge. In Sorenson’s statement he admitted that the systems were not integrated. Integrating complex systems is never easy. In this case, it was not just core booking systems but management systems and reward membership schemes that needed to be integrated. Starwood also had a problem with integration. The Club Carlson systems were separate from the Starwood systems as were those of other hotels. This may have added to the complexity for the IT integration team. Part of the IT integration project should have been the security and safety of data. It is clear that there was no security audit of the Starwood systems. This is something that regulators and shareholders will want to know about. This is something that was not done. After the problems with undisclosed breaches that Verizon found when it acquired Yahoo, a security audit of any acquisition target should be a priority. Ongoing challenges with this acquisition also reared their head at the Marriott August earnings call with analysts. The company admitted that completing the integration was causing issues. However, it sought to focus that call on quality and the disposal of properties that didn’t meet its standards. Little was said about the IT challenges or that those systems were still not integrated almost two years after the deal closed. What does the industry say? Unsurprisingly, there has been a huge response from cyber security vendors and other industry commentators. The biggest issue for most seems to be the length of time that the hackers operated freely inside Starwood systems. There is also concern that they may have already migrated across into the Marriott systems. This could have occurred during the merging of the rewards databases and other systems that have already been integrated. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Marriott data breach shows cyber security risks of mergers Destry Winant (Dec 04)