Marriott: The data breach that led to a $123m fine

Marriott Group’s data breach came as a surprise to many as it went undetected for four years.
11 July 2019

The hospitality industry is a rich target for attacks. Source: Shutterstock

On Tuesday (July 9), the Information Commissioner’s Office (ICO) issued a US$123 million fine to hospitality giant Marriott over a data breach discovered late 2018 that saw hackers stealing records of 399 million guests.

Marriott has challenged the lawsuit, with CEO Arne Sorenson claiming that the hotel giant has been cooperating with ICO throughout the course of investigation in a press statement. However, the damage has been done, data has been stolen and right now, it is possibly being misused for other illegal activities.

This incident came out as a big disappointment for many of its loyal customers. What’s worse, the fact that the breach has been going on for four years before it was detected paints a terrible picture for the hospitality giant

Too late by the time they found out

Due to the sheer volume of people that the hospitality industry deals with every day, it becomes another data farm for hackers to exploit. In the case of Marriott, hackers stole personal information of guests from the reservation system of Starwood hotels, which was bought over by Marriott in 2016.

Despite buying over the property in 2016, Marriott failed to detect the data breach that has been going on in Starwood’s system for two years prior to the acquisition. It only came to light on September 7, 2018, when one of their security systems detected something is amiss when it was triggered by a strange query from an administrator’s account. The incident was isolated because it appeared that a human operator was interfering with it.

Upon investigation by Marriot and third-party investigators, they found malware on Starwood’s IT system; a Remote Access Trojan (RAT) which gives hackers the ability to access and control Marriott’s computers. At this point, nothing was reported to authorities as Marriott did not find any evidence of data being stolen.

Nothing was reported either on October 2018 when investigators found another malicious software named Mimikatz in the system. Despite being aware that its is used to obtain username and passwords, Marriott did not have evidence that data was being stolen from this discovery either.

When investigators found evidence of two compressed and encrypted files being deleted from their system, Marriot realized that the hackers had gotten the best of them. The files contained a table detailing passport information, and another table filled with lodgers’ personal data from Starwood’s Guest Reservation Database. Millions of guests’ personal information had been stolen by the time this discovery was made.

Don’t wait till it’s too late

Calling this as “failure to undertake due diligence when Marriot bought Starwood”, Information Commissioner Elizabeth Denham said in a statement; “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.”

Matt Aldrige, Webroot’s senior solutions architect noted to Hospitalitytech that; “What’s interesting about this incident is that Starwood was breached two years prior to the Marriott acquisition, which brings up the question of: “To what extent should Merger & Acquisition due diligence extend to cybersecurity audit, and if indeed this was done at the time, why did it not uncover this issue?

“A prior breach is a real risk issue for a company to take on and needs to be considered. Cyber hygiene needs to be embedded into business processes at all levels,” he added.

Marriott could have also avoided this blunder should they have taken steps to address the issue from the very first time they detected something is amiss. From the way Marriott handled the first and second discovery, it was evident that Marriot paid no heed to the threats present because nothing “real” was lost at that time.

Commenting on the case, Rufus Grig, Chief Technology Officer (CTO) of Maintel said: “Every company is a target when it comes to cyber-attacks, and there only needs to be a single vulnerability to enable a breach. While cybercriminals will always find new ways of gaining access, there are ways to reduce risk and minimise the loss of data.”

ICO means business

Marriot’s fine, along with all the other fines issued by the ICO over the past few months and Denham’s statement stands as solid proof that the organization will not take cases of GDPR violations lightly. Stepping up on cybersecurity is no longer “optional” for businesses, and these fines serve as warning shots to the business community to step-up their cybersecurity or face the same consequences as this hospitality giant.

While the proposed fine by the ICO is eye-watering enough, it wouldn’t be a record. That accolade goes to British Airways, which is facing a £183 million (US$230 million) fine for last year’s breach of its security systems. In this case, BA passengers were diverted to a fraudulent site, which catered for the compromise of 500,000 customers’ details.