In case you haven’t heard by now, Marriott announced that Starwood’s guest database has been breached. The magnitude of records obtained by the perpetrators exceeds the quantities noted in our improperly configured ElasticSearch article yesterday. At five hundred million records, this lapse in security is going to incur a significant financial impact for Marriott. While the company is offering identity monitoring services in some regions, the larger expense will come from fines associated with non-compliance with GDPR. The fact that adversaries were able to retain access to this trove of data for four years raises serious questions related to the following considerations:
- Information Security Policy/Program at Starwood and Marriott: The completion of the merger between these two hotel giants occurred in September of 2016. For the two years prior to the merger, the adversary was undetected while initiating their reconnaissance and data exfiltration scheme. Tools, sensors, or policies that govern how Starwood monitors their systems for suspicious or malicious behavior were either not being properly used or did not exist. As part of the integration of these two organizations, it would also appear that Marriott’s tools and sensors were unable to detect this pre-existing exploitation. While the reactionary response from Marriott does provide a level of acknowledgement and accountability, the damage to the brand may persist for months or years to come.
- Proper vetting of the acquisition target: Prior to the merger, there is an expectation that Marriott would ideally have had vulnerability scans performed against all Starwood assets. This effort may have provided some proverbial breadcrumbs that would potentially close some of the holes used as attack vectors to gain access to the trove of data. The extended delay in detection raises additional questions related to Marriott’s vulnerability management and risk management programs. Do they exist? Are they being followed using an established and repeated cadence? I’m optimistic that the post-mortem on this event will address gaps and deficiencies without blaming one person as the fine folks at Equifax did.
As we come closer to the end of 2018, the consumer base can only hope that organizations allocate larger budgets to gain resources and solutions which will provide strong and holistic cyber security capability in 2019 and beyond.