Gigantic Data Breach At Marriott International Affects 500 Million Customers. Plenty Of Questions Remain
A gigantic data breach at Marriott International affects about 500 million customers who have stayed at its Starwood network of hotels in the United States, Canada, and the United Kingdom. Marriott International announced the data breach on Friday, November 30th, and set up a website for affected Starwood guests.
According to its breach announcement, an "internal security tool" discovered the breach on September 8, 2018. The initial data breach investigation determined that unauthorized persons accessed its registration database as far back as 2014, and had both copied and encrypted information before removing it. Marriott engaged security experts, the information was partially decrypted on November 19, 2018, and the global hotel chain determined that the information was from its Starwood guest reservation database.
The Starwood hotels network includes brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, and more. Marriott has not finished decrypting all information, so there may be future updates from the breach investigation.
For 327 million guests, the personal data items stolen included a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some guests, the information stolen also included payment card numbers and payment card expiration dates. While Marriott said the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), its warned that it doesn't yet know if the encryption keys (needed to decrypt payment information) were also stolen.
For 173 million guests, fewer personal data items were stolen included, "name and sometimes other data such as mailing address, email address, or other information." Marriott International said its Marriott-branded hotels were not affected since they use a different reservations database on a different server.
Marriott said it has notified law enforcement, is working with law enforcement, and has begun to notify affected guests via email. The hotel chain will offer affected guests in select countries one year of free enrollment in the WebWatcher program which, "monitors internet sites where personal information is shared and an alert to the consumer if evidence of the consumer’s personal information is found." WebWatcher will not be offered to all affected guests. Eligible guests should read the fine print, which the Starwood breach site summarized:
"Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. For residents of the United States, enrolling in WebWatcher also provides you with two additional benefits: (1) a Fraud Loss Reimbursement benefit, which reimburses you for out-of-pocket expenses totaling up to $1 million in covered legal costs and expenses for any one stolen identity event. All coverage is subject to the conditions and exclusions in the policy; and (2) unlimited access to consultation with a Kroll fraud specialist. Consultation support includes showing you the most effective ways to protect your identity, explaining your rights and protections under the law, assistance with fraud alerts, and interpreting how personal information is accessed and used..."
The seriousness of this data breach cannot be overstated. First, it went undetected for a very long time. Marriott needs to explain that and the changes it will implement with an improved "internal security tool" so this doesn't happen again. Second, 500 million is an awful lot of affected customers. An awful lot. Third, breach CNN Business reported:
"Because the hack involves customers in the European Union and the United Kingdom, the company might be in violation of the recently enacted General Data Protection Regulation (GDPR). Mark Thompson, the global lead for consulting company KPMG's Privacy Advisory Practice, told CNN Business that hefty GDPR penalties will potentially be slapped on the company. "The size and scale of this thing is huge," he said, adding that it's going to take several months for (EU) regulators to investigate the breach."
Fourth, the data items stolen are sufficient to cause plenty of damage. Security experts advise affected customers to change their Starwood passwords, check the answers.Kroll.com breach site next week to see if their information was compromised/stolen, sign up for credit monitoring (if they don't already have it), watch their payment or bank accounts for fraudulent entries, and consider an early renewal if your passport number was compromised/stolen. Fifth, companies usually arrange free credit monitoring for breach victims for one or two years. So far, Marriott hasn't done this. Maybe it will. If not, Marriott needs to explain why.
Sixth, breach notification of affected guests via email seems sketchy... like Marriott is trying to cut corners and costs. History is littered with numerous examples of skilled spammers and cybercriminals using faked or spoofed email to trick consumers into revealing sensitive personal and payment information. It will be interesting to see how Marriott's breach notification via email works and manages this threat.
Seventh, lawsuits and other investigations have already begun. ZDNet reported:
"... two Oregon men sued international hotel chain Marriott for exposing their data. Their lawsuit was followed hours later by another one filed in the state of Maryland. Both lawsuits seek class-action status. While plaintiffs in the Maryland lawsuit didn't specify the amount of damages they were seeking from Marriott, the plaintiffs in the Oregon lawsuit want $12.5 billion in costs and losses. his should equate to $25 for each of the 500 million users who had their personal data stolen from Marriott's serv ers... The Maryland lawsuit was filed by Baltimore law firm Murphy, Falcon & Murphy..."
"The Massachusetts, New York and Illinois state attorneys general quickly announced they would examine the hack. Connecticut George Jepsen (D) is also looking into the matter, a spokesman told Bloomberg Law."
Eighth, the breach site's website address unnecessarily vague: answers.kroll.com. Frankly, a website address like "starwood-breach.kroll.com" or "marriott-breach.kroll.com" would have been better. (The combination of email notification and vague website name seems eerily similar to the post-breach clusterf--k by Equifax's poorly implemented breach site.) Maybe this vague address was a temporary quick fix, and Marriott will host a comprehensive breach-status site later on one of its servers. That would be better and clearer for affected customers, who probably are unfamiliar with Kroll. Readers of this blog probably first encountered Kroll after IBM Inc. contracted it to help implement IBM's post-breach response in 2007.
The Starwood breach notice appears within the news section of Marriott.com site. Also, Marriott's post-breach notice included overlays on both the home page and the Starwood landing page within the Marriott.com site. This is a good start, but a better implementation would insert a link directly into the webpages, since the overlays don't render well in all browsers on all devices. (Marriott: you did test this before deployment?) Example: people with pop-up blockers may miss the breach notice in the overlays. And, a better implementation would link to the news story's detail page within the Marriott.com site -- not directly to the vague answers.kroll.com site.
Last, some questions remain about the post-breach response:
- Why email notices to breach victims? Hopefully, there are more reasons than simply saving postal mailing costs.
- Why no credit monitoring offers to breach victims?
- What data in the Starwood reservations database was altered by the attackers? That data was encrypted by the attackers suggests that the attackers had sufficient time, resources, and skills to modify or alter database records. Marriott needs to explain what it is doing about this.
- When will Marriott host a breach site on one of its servers? No doubt, there will be follow-up news, more questions by breach victims, and breach investigation updates. A dedicated breach site on one of its servers seems best. Leaning too much on Kroll is not good.
- Why did the intrusion go undetected for so long? Marriott needs to explain this and the post-breach fix so guests are reassured it won't happen again.
- Is the main Marriott reservations database also vulnerable? Guests for other brands weren't affected since a separate reservations database was used. Maybe this is because the main Marriott reservations database and server are better protected, or cybercriminals haven't attacked it (yet). Guests deserve comprehensive answers.
- Why the website overlaps/pop-ups and not static links?
- What changes (e.g., software upgrades, breach detection tools, employee training, etc.) will be implemented so this doesn't happen again?
Having blogged about data breaches for 11+ years, these types of questions often arise. None are unreasonable questions. Answers will help guests feel comfortable with using Starwood hotels. Plus, Marriott has an obligation to fully inform guests directly at its website, and not lean on Kroll. What do you think?