Category Archives: Marriott

Marriott lowers estimate of customers affected by breach to 383 million, says 8.6 million encrypted payment cards involved

Following last year’s disclosure that hackers breached its systems, Marriot has released an update on the number of affected customers, the type of data that was leaked, as well as some changes to its practices and policies.

On Nov. 30, 2018, the world’s largest hotel chain issued an embarrassing notice that its servers were breached, leaving 500 million guest records in criminal wrong hands. With the help of internal and external forensics and analytics teams, Marriot now knows that the number of affected customers is lower – albeit still high, by any standards.

“Working closely with its internal and external forensics and analytics investigation team, Marriott determined that the total number of guest records involved in this incident is less than the initial disclosure,” Marriot says in the update, posted to its news center Friday. “Also, the number of payment cards and passport numbers involved is a relatively small percentage of the overall total records involved,” the hotel chain said.

According to the updated news release, Marriott now believes 383 million guests may have been affected, a number it refers to as “the upper limit” for the number of guest records involved in the incident. The number could be lower, Marriot says, considering that many guests have multiple records.

“The company has concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database,” it clarifies.

The investigation has brought to light several other details as well. For example, approximately 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were among the records accessed by the intruder. Investigators found no evidence that the master encryption key was accessed, but they haven’t ruled it out either. Guests can contact Marriott’s call center and ask reps to look up their passport number to see if and how they are affected.

Around 8.6 million encrypted payment cards were involved in the incident, including 354,000 that were unexpired as of September 2018. Again, Marriot believes hackers have not accessed either of the components needed to decrypt the encrypted payment card numbers, but investigators are not ruling out this scenario either. Notably, a small number of customers may be more affected than others because of the way Marriot encrypted some form fields while others were not subject to encryption. According to the notice:

“While the payment card field in the data involved was encrypted, Marriott is undertaking additional analysis to see if payment card data was inadvertently entered into other fields and was therefore not encrypted. Marriott believes that there may be a small number (fewer than 2,000) of 15-digit and 16-digit numbers in other fields in the data involved that might be unencrypted payment card numbers. The company is continuing to analyze these numbers to better understand if they are payment card numbers and, if they are payment card numbers, the process it will put in place to assist guests.”

Lastly, Marriot has discontinued the Starwood reservations database, and is now taking registrations solely through its own system. The breach, as readers might remember, occurred via Starwood’s servers, following Marriott’s acquisition of the leisure company in 2015.

Some say Chinese spies could be behind the Marriott breach, as part of a larger intelligence-gathering campaign targeting the U.S. and operated from Beijing.

Marriott breach included 5 million unencrypted passport numbers

Marriott has good news and bad news for travelers who have passed through its hotels. The good news is the data breach disclosed back in November, which was originally believed to have exposed the data of more than 500 million people, affected fewer travelers than originally reported (though it didn't specify how many). The bad news is the data lifted from the company included millions of peoples' passport numbers.

Via: Wall Street Journal

Source: Marriott

Why other Hotel Chains could Fall Victim to a ‘Marriott-style’ Data Breach

A guest article authored by Bernard Parsons, CEO, Becrypt

Whilst I am sure more details behind the Marriott data breach will slowly come to light over the coming months, there is already plenty to reflect on given the initial disclosures and accompanying hypotheses.

With the prospects of regulatory fines and lawsuits looming, assimilating the sheer magnitude of the numbers involved is naturally alarming. Up to 500 million records containing personal and potentially financial information is quite staggering. In the eyes of the Information Commissioner’s Office (ICO), this is deemed a ‘Mega Breach’, even though it falls short of the Yahoo data breach. But equally concerning are the various timeframes reported.

Marriott said the breach involved unauthorised access to a database containing Starwood properties guest information, on or before 10th September 2018. Its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

Starwood disclosed its own breach in November 2015 that stretched back to at least November 2014. The intrusion was said to involve malicious software installed on cash registers and other payment systems, which were not part of its guest reservations or membership systems.

The extent of Marriott’s regulatory liabilities will be determined by a number of factors not yet fully in the public domain. For GDPR this will include the date at which the ICO was informed, the processes Marriott has undertaken since discovery, and the extent to which it has followed ‘best practice’ prior to, during and after breach discovery. Despite the magnitude and nature of breach, it is not impossible to imagine that Marriott might have followed best practice, albeit such a term is not currently well-defined, but it is fairly easy to imagine that their processes and controls reflect common practice.

A quick internet search reveals just how commonplace and seemingly inevitable the industry’s breaches are. In December 2016, a pattern of fraudulent transactions on credit cards were reportedly linked to use at InterContinental Hotels Group (IHG) properties. IHG stated that the intrusion resulted from malware installed at point-of-sale systems at restaurants and bars of 12 properties in 2016, and later in April 2017, acknowledging that cash registers at more than 1,000 of its properties were compromised.

According to KrebsOnSecurity other reported card breaches include Hyatt Hotels (October 2017), the Trump Hotel (July 2017), Kimpton Hotels (September 2016) Mandarin Oriental properties (2015), and Hilton Hotel properties (2015).

Therefore perhaps, the most important lessons to be learnt in response to such breaches are those that seek to understand the factors that make data breaches all but inevitable today. Whilst it is Marriott in the news this week, the challenges we collectively face are systemic and it could very easily be another hotel chain next week.

Reflecting on the role of payment (EPOS) systems and cash registers within leisure industry breaches is illustrative of the challenge. Paste the phrase ‘EPOS software’ into your favourite search engine, and see how prominent, or indeed absent, the notion of security is. Is it any wonder that organisations often unwittingly connect devices with common and often unmanaged vulnerabilities to systems that may at the same time be used to process sensitive data? Many EPOS systems effectively run general purpose operating systems, but are typically subject to less controls and monitoring than conventional IT systems.

So Why is This?
Often the organisation can’t justify having a full blown operating system and sophisticated defence tools on these systems, especially when they have a large number of them deployed out in the field, accessing bespoke or online applications. Often they are in widely geographically dispersed locations which means there are significant costs to go out and update, maintain, manage and fix them.

Likewise, organisations don’t always have the local IT resource in many of these locations to maintain the equipment and its security themselves.

Whilst a light is currently being shone on Marriott, perhaps our concerns should be far broader. If the issues are systemic, we need to think about how better security is built into the systems and supply chains we use by default, rather than expecting hotels or similar organisations in other industries to be sufficiently expert. Is it the hotel, as the end user that should be in the headlines, or how standards, expectations and regulations apply to the ecosystem that surrounds the leisure and other industries? Or should the focus be on how this needs to be improved in order to allow businesses to focus on what they do best, without being quite such easy prey?


CEO and co-founder of Becrypt

Cyber Security Roundup for November 2018

One of the largest data breaches in history was announced by Marriott Hotels at the end of November. A hack was said to have compromised up to a mind-blowing "half a Billion" hotel guests' personal information over a four year period.  See my post, Marriott Hotels 4 Year Hack Impacts Half a Billion Guests for the full details. The Radisson Hotel Group also disclosed its Rewards programme suffer a data compromise. Radisson said hackers had gained access to a database holding member's name, address, email address, and in some cases, company name, phone number, and Radisson Rewards member number.

Vision Direct reported a website compromise, which impacted users of their website between 3rd and 8th November, some 16,300 people were said to be at risk  A fake Google Analytics script was placed within its website code by hackers. 

Eurostar customers were notified by email to reset their passwords following presumably successful automated login attempts to Eurostar accounts with stolen credentials obtained by an unknown method.

Two of the TalkTalk hackers were sentenced to a grand total of 20 months for their involvement in the infamous 2015 blackmail hack, which was said to have cost TalkTalk £77 million. There may have been up to 10 other attackers involved according to the court transcripts when hackers attempted to blackmail TalkTalk’s then CEO Dido Harding into paying a ransom in Bitcoin to cover up the breach. Has the enterprise, and judiciary, learned anything from TalkTalk hack?

Uber was fined £385,000 by the UK Information Commissioner's Office, after hackers stole 2.7 million UK customers in October and November 2016. Uber attempted to cover up the breach by paying the hackers $100,000 (£78,400) to destroy the stolen customer data. Meanwhile stateside,
 Uber paid $148m to settle federal charges. 

HSBC announced it had suffered a customer data breach in between 4th and 14th of October 2018 in a suspected "credential stuffing" attack. HSBC didn't state how many customers were impacted but are known to have 38 million customers worldwide. HSBC advised their customers to regularly change and use strong passwords and to monitor their accounts for unauthorised activity, sage good practice online banking advice, but I am sure their customers will want to know what has happened.

Facebook is still making the wrong kind of privacy headlines, this time it was reported that Facebook member's private message data was found for sale online, with one instance involving 257,256 stolen profiles and including 81,208 private messages. The report appears to suggest malicious browser extensions, not Facebook, may be behind the data breach.

A report from a UK parliamentary committee warned the UK government is failing to deliver on protecting the UK's critical national infrastructure (CNI) from cyber attacks. "The threat to critical infrastructure, including the power grid, is growing" the committee reported, with some states -"especially Russia" - starting to explore ways of disrupting CNI. An advisory notice also warned that UK companies connected to CNI were being targeted by cyber attackers believed to be in eastern Europe. APT28 (Russian based FancyBear) has added the "Cannon" Downloader Tool to their arsenal, according to researchers.

Amazon's showcase Black Friday sale was hit by data breach days before it started. The online retail giant said it emailed affected customers, but refused to provide any details on the extent or nature of the breach. The customer email said “Our website inadvertently disclosed your email address or name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.” 

There was a far more positive security announcement by Amazon about their AWS (cloud) services, with the launch of three new services to simplify and automate AWS security configuration called AWS Control Tower, AWS Security Hub, and AWS Lake Formation McAfee released their 2019 'Cloud Adoption and Risk Report' which highlights the vital importance of configuring cloud services correctly and securely.

RiskIQ claimed that monitoring for malicious code could have stopped the recent theft of 185,000 British Airways customer records. The Magecart hacker group is believed to be responsible for injecting twenty-two lines of malicious script into the British Airway's payment page, which successfully lifted debit and credit card details, including the CVV code.

Finally, according to enSilo, European Windows users are said to be targeted by a sophisticated malware called 'DarkGate', which has an arrange of nefarious capabilities, including cryptomining, credential stealing, ransomware, and remote-access takeovers. The DarkGate malware has been found to be distributed via Torrent files disguised as popular entertainment offerings, which includes Campeones and The Walking Dead, so be careful to avoid becoming infected!

NEWS

Marriott Hotels 4 Year Hack Impacts Half a Billion Guests!

A mammoth data breach was disclosed by hotel chain Marriott International today (30 Nov 18), with a massive 500 million customer records said to have been compromised by an "unauthorized party". 
Image result for marriott
The world's largest hotel group launched an internal investigation in response to a system security alert on 8th September 2018, and found an attacker had been accessing the hotel chain's "Starwood network" and customer personal data since 2014, copying and encrypting customer records. In addition to the Marriott brand, Starwood includes W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. 

Image result for starwood
You are at risk if you have stayed at any of the above hotel brands in the last 4 years

The Marriott statement said for around 326 million of its guests, the personal information compromised included "some combination" of, name, address, phone number, email address, passport number, date of birth, gender and arrival & departure information. The hotelier also said encrypted payment card data was also copied, and it could not rule out the encryption keys to decrypt cardholder data had not been stolen.

The hotel giant said it would notify customers affected and offer some a fraud detecting service for a year for free, so I expect they will be making contact with myself soon. In the meantime, Marriott has launched a website for affected customers and a free helpline for concerned UK customers 0808 189 1065.

The UK ICO said it would be investigating the breach, and warned those who believe they are impacted to be extra vigilant and to follow the advice on the ICO website, and by the National Cyber Security Centre
. The hotel chain could face huge fines under the GDPR, and possibly a large scale class action lawsuit by their affected guests, which could cost them millions of pounds. 

What I really would like to know is why the hotel chain had retained such vast numbers of guest records post their stay. Why they held their customer's passport details and whether those encryption keys were stolen or not. And finally, why the unauthorised access went undetected for four years.

Tom Kellermann, Chief Cybersecurity Officer for Carbon Black, said "It appears there had been unauthorised access to the Starwood network since 2014, demonstrating that attackers will get into an enterprise and attempt to remain undetected. A recent Carbon Black threat report found that nearly 60% of attacks now involve lateral movement, which means attackers aren’t just going after one component of an organisation - they’re getting in, moving around and seeking more targets as they go."

The report also found that 50% of today’s attackers now use the victim primarily for island hopping. In these campaigns, attackers first target an organisation's affiliates, often smaller companies with immature security postures and this can often be the case during an M&A. This means that data at every point in the supply chain may be at risk, from customers, to partners and potential acquisitions.”

Jake Olcott, VP of Strategic Partnerships at BitSight, said "Following the breaking news today that Marriott’s Starwood bookings database has been comprised with half a billion people affected, it highlights the importance of organisations undertaking sufficient security posture checks to avoid such compromises. Marriott’s acquisition of Starwood in 2016 allowed it to utilise its Starwood customer database. Therefore, proactive due diligence during this acquisition period would have helped Marriott to identify the potential cybersecurity risks, and the impact of a potential breach".

“This is yet another example of why it is critical that companies perform cybersecurity analysts during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a “snapshot in time” view.

“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company. After an investment has been made, continuous monitoring is essential.”