On November 19, Marriott discovered they were responsible for one of the largest-ever breaches of customer information. More than 500 million people had their personal data stolen, and the information included 327 million encrypted credit card numbers as well.
What we know so far is that Starwood, the company Marriott acquired in 2016, had an active breach at the time of purchase. Starwood was actively breached starting in 2014, and neither Marriott nor Starwood understood that they were compromised until a month ago. In the wake of this massive breach, we sat down with Russell Moore, CISSP, an Accudata Risk and Compliance Solutions Architect expert, and asked him a few questions. The following is only opinion and conjecture, as many facts about the breach have not yet come to light.
- Do you think Marriott would have bought Starwood knowing it was actively compromised? If so, would that have affected the purchase price?
This is somewhat irrelevant today. Breach activity is so common, and ultimately customer perception is based around a “how am I affected?” mentality; I doubt it would have even been considered. Most likely, there was an assessment around security posture, and they probably passed. Having security measures in place versus effectively using them are two completely different paradigms.
I think as these breaches with larger companies continue to come to light, we will see an uptick in pre- or post-acquisition compromise assessments to better validate whether there is any active breach activity in a potential acquisition’s environment. All this ultimately points to a change in the mindset when it comes to security—we must assume we are always breached unless we can prove otherwise, versus being optimistic about our posture and foolishly assuming the best.
- Should Marriott have done a sweep of Starwood’s environment before making a formal bid? Is there a standard process for this?
Most merger and acquisition (M&A) activity today will include a security assessment of some type. Most of the time, it’s an assessment of controls by an accounting firm in the form of an interview-type assessment. Going forward, I think we will see a move to do formal compromise assessments as part of M&A activity. Also, most M&A activity with private equity groups will include some type of security assessment.
- Would a standard penetration test have found this compromise? Was Starwood lacking in security policy, or was this a sophisticated breach?
No, a standard security assessment where you verify controls via interview, sampling, vulnerability assessment, and penetration testing will not typically uncover a breach. The assessments will identify weaknesses in your overall posture and potential avenues of attack, but to identify compromise and exfiltration, you need to identify the data or command-and-control traffic active within your network.
This is where strong security operations are important to identify anomalous traffic and be able to determine if it is malicious. Accudata helps enable security teams with the technology needed to identify potentially malicious traffic quickly and prevent “bad things.”
The root cause of the Starwood breach is unclear at this point. What we do know is that the dwell time (time the malicious access persisted) was extraordinary, potentially four years. This is indicative of a lack of understanding of normal versus abnormal activity when it comes to the specific database. Ultimately, the basis for securing any application is being able to identify and control abnormal activity.
- From a PCI perspective, is it common for the hotels themselves to store the amount of credit card data that Starwood had? Are there going to be PCI complications from this breach?
From a PCI perspective, Marriott reported that the database in question contained credit card data that was encrypted. The primary issue they have is that there is some ambiguity at this point whether the encryption keys needed to unencrypt the data were compromised as well.
If Marriott is unable to verify that the keys were not compromised, I think we have to assume the card data is fair game and considered compromised, and people affected should take appropriate measures. It is important to remember that compliance does not guarantee security. From a PCI compliance perspective, Marriott will surely be scrutinized, but until we have all the details it is hard to speculate where the breakdown occurred and how that will translate into potential repercussions.
Only time will tell the exact details of this breach, but it will certainly go down as one of the largest customer data breaches in history. The Accudata Security team helps protect organizations from breaches like this across the entire attack continuum, from technical assessments and penetration testing to tools and remediation. Breaches and cyber attacks are inevitable; as Russell mentions, “we must assume we are always breached unless we can prove otherwise, versus being optimistic about our posture and foolishly assuming the best.”