Another year, another breach against Marriott.
In November 2018, Marriott suffered a massive data breach in which unknown cybercriminals hacked into one of its databases and stole a trove of data containing personal and sensitive details of more than 500 million customers. Now, Marriott has acknowledged that the hotel giant has been hacked AGAIN.
Yes, according to Marriott International’s incident notification published on March 31, 2020, the hack attack took place after two of its employees at an unknown franchise property had their login credentials compromised. The hackers used their credentials to steal personal details of more than 5.3 million guests between mid-January 2020 to the end of February 2020.
The stolen information included:
- Contact Details (e.g., name, mailing address, email address, and phone number)
- Loyalty Account Information (e.g., account number and points balance, but not passwords)
- Additional Personal Details (e.g., company, gender, and birthday day and month)
- Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
- Preferences (e.g., stay/room preferences and language preference)
The information not included in the breach includes:
Driver’s license numbers
Payment card information
Passwords or PINs for Marriott Bonvoy (The loyalty program).
Although it is unclear how the login credentials of two employees were stolen it could be a result of phishing attack tricking both in giving away their details. Lately, cybercrime group Lazarus has been targeting business giants with phishing scams to steal personal details of key employees in the company to carry out further attacks.
It is also worth noting that investigations are ongoing therefore numbers of impacted customers and stolen data can be much more than currently assumed.
Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Internal and external security teams have been working hard to investigate the incident, implement additional security measures, and address what was found, the hotel giant said in its incident notification.
Marriott has already sent emails about the incident to the guests involved. The email was sent from firstname.lastname@example.org.
In a detailed comment Mr. Mark Sangster, Vice President, and Industry Security Strategist, eSentire said that,
“Ignorance is not bliss. It’s negligence. And for the consumer, ignorance is exposure:
The first issue that jumps out is the fact that it again took over a month to notify affected consumers. Giving Marriott the benefit of the doubt, they likely contacted EU privacy agencies within the prescribed 72-hours of detection. But these laws fall short when it comes to protecting consumers.
For 30 days, affected consumers were exposed to a cyber breach that had yet to manifest signs or symptoms. This shouldn’t be lost on people, sheltering in-home quarantine from a global disease that spreads through the asymptomatic transmission. The same rules apply. As soon as you become aware of the risk, you can take precautions to minimize your exposure.
When are we going to learn? Affected individuals need to be notified immediately once the cyber event is confirmed, so they can take their own actions, like changing passwords, putting holds on their credit cards, and monitoring their accounts for suspicious activity. It’s time to flatten the curve on the spread of cyber fraud.
Stolen data doesn’t have to contain credit card info to be dangerous!
Companies can’t play down breaches because they didn’t expose banking or passport information. Loyalty account numbers and history, and traveler preferences allow criminals to tailor phishing campaigns with individualized schemes that become almost impossible to detect with the naked eye. We don’t live a world of “fire and forget” malware.
Criminals use invested programs that we call “hands-on keyboard’ to hunt their prey. They can use traveler info to lure victims using personalized buttons that guarantee a click by the victim. In our annual threat report for legal firms, we reported phishing campaigns that posed as AMEX travel offers for their top-tier members. These attacks stroked the ego of the high-wealth victims and assured a payday for the bad guys.
Fool me once, shame on you; fool me twice, shame on me
This is a good example of “fool me once, shame on you; fool me twice, shame on me.” This isn’t the first cyber blemish in Marriott’s logbook. The previous breach involving, Starwood hotels, predated the acquisition by Marriott, but cost Marriott 99M GBP in European privacy legislation penalties.
And while Marriott likely carried cyber insurance, coverage fails to cover penalties levied by regulators and privacy agencies, or often “Failure to comply” (with cybersecurity specification set out by the insurer) often negate payout of claims. Beyond the penalties, Marriott will likely find itself in a protracted legal battle with underwriters to receive insurance coverage again.
You are only as strong as your weakest link.
Marriott again demonstrates that companies must secure not only their business but that of their partners, contractors, and franchisees. The first breach in 2018 came through the acquisition of Starwood Hotels, and pre-dated the merger. The 2020 breach was traced back to two compromised employees working at a Marriott franchise.
No matter what, we are reading about Marriott and their tarnished brand, not the franchisee. The supply chain is one of the greatest vulnerabilities for companies like Marriott. In 2019, we interviewed 650 senior executives across multiple industries and discovered that nearly half (49%) of firms had experienced a material breach (like the Marriott 2020 event) as a result of their vendor.
And worse, only 15 percent of those companies learned of the breach from the offending vendor. Perhaps more frighteningly, only a meager 31 percent of these firms, changed or modified their vendor policies and contracts with the culprit supplier! In essence, they voluntarily assumed full liability for the failures of their vendors.
Breaking the vicious cycle
It’s not many wonders we see serial breaches like Marriott, and we have to use dates to distinguish between these serial events. Companies, in general, need their cybersecurity fabric to cover their distributed business, including partners, franchisees, and remote employees. Coronavirus will change the way we approach secure work from home policies, and companies will continue to fund our education and increasing security standards by paying the price as serial breach offenders.”
This breach highlights the fact that companies must teach employees about cyber security especially at Marriott where employees have a history of messing things.
In April 2017, an ex-Marriott employee, Juan Rodriguez, got fired in August 2016 and told to stay away from the hotel’s computer systems whatsoever. After a few weeks, Rodriguez decided to take revenge by hacking into the hotel reservation system from his apartment in New York City and reduced rates on more than 3,000 rooms from $159 – $499 per night … to $12 – $59.