Hundreds of Millions of Sensitive Guest Records Stolen in Marriott Breach
December 19, 2018 | Filed Under: SecuritySecurity News
In what was arguably the worst information security breach in the hospitality industry’s history, as yet unidentified attackers managed to gain access to the guest records of hundreds of millions. The data revealed included names, addresses, phone numbers, drivers’ license and even passport numbers from guests of Starwood hotels, a chain acquired by Marriott in 2016.
While Marriott is already facing lawsuits related to the breach, they are attempting to remedy the situation by covering the cost of new passports for some affected guests. Many observers are skeptical of this claimed largesse, since replacing all potentially affected passports would cost tens of billions of dollars, and anticipate that Marriott will instead cover only a limited number of cases. Shockingly, the company states that the unauthorized parties have had access to this data since 2014. How it managed to go undetected for so many years is not known.
It is not yet clear whether the attackers have managed to decrypt credit card records that may have been on file. Payment Card Industry Data Security Standard (PCI DSS) compliance recommends only storing card account numbers at all if there are to be recurring payments, and that this data be rendered unreadable to unauthorized parties – i.e. that it be encrypted, truncated or hashed.
There are some unique concerns that emerge when even encrypted data is exposed in large volumes, however. If Starwood hotels were using the weak and no longer recommended 3DES algorithm, as Target was doing for customer PIN data as recently as 2013, they could easily be vulnerable to key recovery and decryption using widely-known cryptanalysis vulnerabilities. This is a real possibility if the attackers have had access to the data for nearly four years, and especially if they possess the massive computing resources available to a state agency or organized crime organization.
When it comes to sensitive data, the recommendations are as follows:
- Don’t store it at all if you can avoid it
- Let a PCI compliant payment processor store it for you
- Failing that, use strong encryption standards, e.g. AES-256 or better, avoiding ECB mode.
- Get repeatedly audited by security and compliance experts.
Most importantly, real safeguards must be taken to avoid intrusions in the first place. Use an integrated Privileged Account Management system like CyberSana to lock down important administrator functions, monitor your network and conduct continuous compliance and vulnerability audits to protect your company and your customers.