The Marriott Breach—one of the largest breaches in the history of cybersecurity—dominated headlines over the weekend. 500 million customers had their vital personal identifying information exposed and potentially stolen, with the breach dwelling on the network for years before being discovered.
Now is the time to ask the real questions: what can enterprises learn from the Marriott Breach? How can they fortify their own networks to prevent a breach of this proportion? What compliance issues will this breach cause?
To gain more perspective on these questions, we spoke with Gates Marshall, Director of Cyber Services at CompliancePoint. Here’s our conversation, edited slightly
Solutions Review: How could a security issue this big go unaddressed and undetected for so long?
Gates Marshall: From what has been disclosed, it appears this breach started in 2014, prior to the Marriott acquisition of [Starwoods Properties]. In theory, this should have been identified as part of a cyber risk assessment conducted during the M&A activities. It’s likely that the different corporate entities had different levels of security maturity and this issue was obscured as the company worked to merge systems. Whatever detective controls were in place, like security alerts, may not have been applied to all assets. There was a purported breach of the Marriott incident response team in 2017 that should have triggered a thorough review which may have identified this. In the end, attackers can be very advanced and the commotion around M&A homogenization activities created enough fog for this incident to last for 4 years.
SR: What information security or penetration testing tactics, capabilities, or strategies could have helped Marriott avoid this breach? Could anything have stopped the Marriott Breach?
GM: At the end of the day, a criminal needs three things to breach something:
- A way in
- Access to the data cookie jar
- A way to get the data back in attacker control to sell etc.
Vulnerability scanning and penetration testing can help detect “ways in” so that they can fix the issue before a breach occurs.
Implementing cyber resiliency controls, which assume a compromise has occurred and are designed to limit the scope of the breach, would have made it harder to get to the data cookie jar and/or impossible to get there without detection.
Implementing various alerting technologies would generate alerts as the data was attempted to be exfiltrated back to the attackers’ control. The public statements by Marriott indicate that some data was encrypted by the attacker, which is a common tactic to mask the data as it’s being sent back out the door. Preventing the attacker from being able to execute the encryption routine or other system hardening steps could be taken to make it harder to mask the data. Using data leak prevention technologies to detect and block the transmission of sensitive data types would have helped.
Creating fictitious records in the customer database that should never be accessed for a legitimate reason and then configuring auditing on those records would also help. The attackers aren’t selectively choosing records to export in most instances, they’re getting them all. Having an alert mechanism of some sort for mass data transfers or sensitive record access would further alleviate the risk.
SR: What do you think the Marriott Breach will mean for corporate compliance initiatives overall?
Compliance is a focus of sectoral standards for the most part: “healthcare does this, credit cards do that” kind of logic.
I think companies need to go back to their drawing boards and define their non-regulatory needs, such as keeping customer loyalty or preparation for forthcoming cyber and privacy laws that aren’t enforced yet. These should be integrated into the overall compliance initiatives being performed. Brand loyalty today is very important, and we’ve seen a few recent loyalty program breaches. A breach is a great way to discourage continued usage of the brand loyalty programs.
This breach seems very relevant considering several fast food restaurants apps now. It’s a new way to engage with the customer, but there’s a fine line between customer interest and lost customers interest in the event of a breach.
SR: What should companies take away from the Marriott Breach in terms of data storage, data security, and network visibility?
GM: If you don’t need it, don’t keep it. If you don’t have the information to lose, your risk is eliminated.
Encryption is not just for credit card numbers. All PII is important. Consider expanding existing controls, such as those mandated by PCI for credit cards, to other non-payment related systems in the overall environment.
Implement a robust vulnerability management program. It’s unknown if the attackers compromised an external website to get in or sent something as simple a phishing email, but it’s likely that after getting in they needed to do a series of exploits. Detecting potential weaknesses, validating those weaknesses, and fixing those weaknesses will make it much harder for an attacker to break in or move around once they’re inside your systems.
SR: Do you think Marriott will run afoul of GDPR? And what will that look like?
It’s unknown if EU natural person data was compromised. Based on the size of the breach it seems likely that some EU natural person data was also compromised. Marriott is likely working with their EU DPA representative to facilitate transparency and involvement by the supervisory authorities there. Another potential issue around GDPR is that the record set was so large. It’s unknown if Marriott had a lawful basis to collect or maintain the various data elements that were disclosed to have been breached.
Thanks to Gates Marshall, Director of Cyber Services at CompliancePoint, for his time and expertise on the Marriott Breach.
Latest posts by Ben Canner (see all)
- What’s Changed? The Gartner 2018 SIEM Magic Quadrant - December 6, 2018
- What to Know about the Quora Data Breach Affecting Approx. 100 Million - December 4, 2018
- Lessons From The Marriott Breach with Gates Marshall of CompliancePoint - December 3, 2018