Marriott Discloses 2nd Data Breach in Less than 2 Years

Marriott International, Inc., the world’s largest hotel chain, recently disclosed a second data breach in a span of less than two years.

Marriott, which owns over 7,300 hotels and licenses vacation ownership resorts in 134 countries and territories, in a statement, said that it became aware of this new data breach at the end of February 2020. The company believes that this latest data breach started way back in mid-January 2020.

Marriott said this latest data breach affected 5.2 million guests and the following information may have been breached:

• Contact details (e.g., name, mailing address, email address, and phone number);
• Loyalty account information (e.g., account number and points balance, but not passwords);
• Additional personal details (e.g., company, gender, and birthday day and month);
• Partnerships and affiliations (e.g., linked airline loyalty programs and numbers); and
• Preferences (e.g., stay/room preferences and language preference).

Less than two years ago, specifically on November 30, 2018, Marriott disclosed another data breach, this time, affecting 500 million guests. The company said that out of the 500 million affected guests, approximately 327 millions of guests had their data breached, including some combination of name, mailing address, phone number, email address, passport number, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

This earlier data breach, the company said, lasted for nearly four years, from 2014 to September 8, 2018. The company didn’t specify the exact date in 2014 that this earlier data breach started. On November 16, 2015, Marriott announced that it acquired Starwood Hotels & Resorts. Just days after the Marriott acquisition, Starwood disclosed its own data breach affecting nearly 100 Starwood hotels in North America.

On July 9, 2019, the UK’s Information Commissioner’s Office (ICO), acting as lead supervisory authority on behalf of other EU Member State data protection authorities in the investigation of Marriott’s 4-year-long data breach, released a statement on its intention to fine Marriott over £99 million under GDPR for the company’s 4-year-long data breach.

“It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014,” the ICO said. “Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

Lessons from the Marriott Data Breaches

Here are some of the cybersecurity lessons from the two Marriott data breaches:

1. Secure Login Credentials

For the latest data breach, Marriott said the 5.2 million guest information may have been accessed using the login credentials of two employees at one of Marriott’s franchise property for the company’s app backend systems. According to Marriott, hotels operated and franchised under Marriott’s brands use an app to help provide services to guests at hotels.

Login credentials are sought after by cybercriminals as they’re the keys to the palace, in the case of the latest Marriott data breach, the keys to the company’s app backend systems.

Login credentials are used to authenticate users. Traditionally, the login credential consists of a username and a password. Login credentials consisting of only a username and password combination are typically stolen by cybercriminals through phishing campaigns – tricking email receivers to open malicious emails that masquerade as coming from legitimate senders. Clicking links or attached documents contained in these malicious emails could lead to the downloading of malicious software (malware) on the victims’ computers, resulting in the theft of login credentials.

Another way in which attackers steal login credentials that only use the username and password combination is through brute force attacks. In brute force attacks, attackers use the trial and error method, that is, guessing the possible username and password combination until the correct one is found.

Successful brute-force attackers often used the low and slow approach, that is, spacing the username and password-guessing process in hours and within days and even weeks. 

Login credentials, however, can also include other authentication methods aside from the traditional username and password combination. These additional authentication methods, also known as multi-factor authentication, add an additional layer of security as knowledge of the correct username and password combination isn’t enough to authenticate a user.

2. Improve Monitoring

Marriott’s earlier data breach disclosure – the one that spanned for nearly 4 years – didn’t specify the reason or reasons why the data breach happened in the first place.

Threat groups, such as state-sponsored groups that specifically target certain organizations, don’t mind how long they’re inside their victims’ networks. As shown in the case of Marriott’s earlier data breach, attackers could stay inside their victims’ networks for years to harvest sensitive data.

While it’s important for organizations to secure attack surfaces as much as possible, such as applying in a timely manner security updates, new attack surfaces may arise, leaving your organization’s network vulnerable to attack. For instance, while multi-factor authentication gives an added security, in some cases, this added security is bypassed by attackers.

Increased monitoring of network logs helps in unveiling whether malicious actors are lurking inside your organization’s network. Increased traffic during non-working hours and traffic from unfamiliar IP addresses are indicative of malicious activities inside your organization’s network.

Over the years, we helped and continue helping hundreds of companies achieve better cybersecurity posture and minimize IT risks through fully managed, proactive monitoring and updating of their systems. We can help you today. All you have to do is call (416) 920-3000 or email us at sales@genx.ca