If you had to ask any GTconsult staff members what the core values of the company are, protection would be right up there.
In a world that is becoming more influenced by technology, cyber criminals are becoming more brazen as they have been introduced to a new pasture of risk that they can take advantage of. This needs to be prevented; and if there are cases of hacks or cyber breaches, these need to be highlighted.
We did blog posts on the hacks of British Airways and Cathay Pacific. Earlier this week, the world learned about a massive cyber breach at hotel giant Marriot. I recently read an article on forbes.com which discussed the breach in all its gory details
The article pointed out that to some onlookers the breach, one of the biggest on record, was astonishing. To those who’ve been tracking Marriott and Starwood digital security, it wasn’t a huge surprise. Prior to the four-year-old breach being discovered, Marriott suffered at least one previously unreported hack, including an infection that hit the company’s own cyber-incident response team, Forbes has learned. And there’s evidence Russian cybercriminals have breached Starwood Web servers.
Marriott’s security is now facing probes from multiple government bodies, including the New York Attorney General’s office. European regulators like the U.K. information commissioner, who have the ability to fine companies significant sums with the power of the General Data Protection Regulation (GDPR), are also looking into the incident.
The article added that Senator Ron Wyden said American regulators needed powers to issue heavier fines on U.S. companies that have failed to protect citizens’ data. “Clearly, current status quo isn’t working,” he said. “The Federal Trade Commission needs real powers with strong teeth in order to punish companies that lose or misuse Americans’ private information. Until companies like Marriott feel the threat of multibillion-dollar fines, and jail time for their senior executives, these companies won’t take privacy seriously.”
Marriot’s security team was hit by a breach in June 2017 that was detected and reported by independent cybersecurity researchers, as noted in a tweet dating from that summer.
The article pointed out that A source familiar with the event told Forbes that Marriott’s Computer Incident Response Team (CIRT) was compromised thanks to a mistake by a contracted cybersecurity vendor that was supposed to be protecting the hotel giant. According to the source, SecureWorks, a cybersecurity provider once owned by Dell, was the vendor. SecureWorks said it wouldn’t comment on the matter. Marriott declined to name the contractor.
But Marriott’s version of events chimed with that of the source’s. A Marriott spokesperson told Forbes the breach saw a contracted analyst download a malware sample for analysis. The malicious software ended up getting access to Marriot’s internal email. “The breach that resulted was an isolated incident involving that one analyst’s machine that had access to Marriott’s outlook Web access mailbox but was not connected to the Marriott network,” the spokesperson explained.
The article added that Daniel Gallagher, an independent cybersecurity researcher who uncovered the 2017 breach, told Forbes he discovered the attack after finding a server on which Nigerian hackers were running their criminal enterprise. Marriott was just one of many victims, Gallagher said, and had been quick to respond.
The article points out that Starwood has been haunted by security nightmares both before and after the company’s 2016 acquisition by Marriott, according to Alex Holden, founder of Hold Security. Holden has long tracked breaches at major companies. He sent Forbes screenshots that appeared to show cybercriminal access to Starwood corporate portals.
The images presented a control panel used by Russian criminals to run a network of hacked servers, also known as a botnet. Six of those servers were hosting various starwoodhotels.com domains.
“This particular botnet is a part of several fairly large botnets operated by a small group of Russian-speaking hackers,” Holden told Forbes.com. “This interface controls about 1,200 infected devices, which is the smallest node. Several nodes have around 10,000 victim systems. The botnet is stealing tens of gigabytes from victim systems including vital files and taking screenshots.
“And we know that they have access to infected computers that seem to access Starwood employee data and company resources.” Forbes passed the screenshot to Marriott on Sunday. It had not responded to a request for comment on Holden’s specific botnet claims at the time of publication.
Holden detailed other issues to Forbes.com. One was the use of an easily guessable password for Starwood’s ServiceNow cloud computing service. Within the ServiceNow portal, it’s possible to access businesses’ financial records, IT security controls and bookings information.
The article adds that going back to 2014, the year when Marriott said Starwood’s network had been hacked, Holden claimed there was a serious vulnerability on the company’s website. Known as an SQL injection bug, it could’ve been exploited to gain access to Starwood databases. He said that such vulnerabilities and even services offering to hack Starwood were being offered amongst hackers on the dark Web back in 2014.
That same year, Starwood point-of-sale systems had been hacked. But it took until the following year for the company to reveal what had happened.
The article points out that Marriott is yet to offer more detail on just how its Starwood database was stolen. The original hack was traced back to 2014, but no specific month or date was given.
On the various claims made by Holden, a Marriott spokesperson told Forbes: “Anything that happened prior to September 2016 (the date we closed the acquisition) on the Starwood network is not something we are able to comment on.
“The types of scenarios shared [by Forbes via Holden] are scenarios that most retail, restaurant and hospitality companies deal with on an ongoing basis. Often these issues are beyond the control of the companies because they happen outside of the companies’ networks. We thoroughly investigated the Starwood network in response to this incident and do not see any connection between the scenarios you referenced in this incident,” Holden told Forbes.com
Outside of regulatory scrutiny, Marriott is now facing multiple class action lawsuits as a result of the megabreach. As with other uberhacks, Marriott can expect a painful ride ahead, with plenty of regulatory and legal proceedings to navigate.
Lurking in the dark
According to an article on McLatchy DC Bureau, the criminals that hacked Marriott lurked in the shadows for a long time.
The article pointed out that for four years, Marriott Hotels fell in the latter category. Buried in Marriott’s announcement Friday that personal data of as many as 500 million guests was lost in the second largest consumer breach in U.S. history, the company said hackers first entered the guest reservation systems in 2014.
The hack remained undetected year after year.
“The sheer size and length of this breach is very unique,” Yonatan Striem-Amit, chief technology officer at Cybereason, a cybersecurity firm in Boston told McLatchy DC Bureau, “The industry average talks about … 100 to 200 days between the moment of breach and the moment it is discovered.”
Also unique is the volume of information the hackers obtained through Marriott, one of the world’s biggest hotel chains with 1,200 properties under brands like Sheraton, Westin, St. Regis, W and Courtyard. The company said hackers obtained names, addresses, phone numbers, email addresses, passport numbers, birthdates, gender and other details on at least 327 million guests from the Starwood database. Marriott bought Starwood Hotels & Resorts in 2016.
The article points out that hackers also took credit card information and expiration dates for another undisclosed number of guests, Marriott said. While this information was partially encrypted, hackers may have taken data that would allow them to decrypt the payment data, it added.
The Marriott breach is surpassed in size only by the hack of 3 billion users of Yahoo in 2013 and 2014. In some ways, it more resembles the 2017 hack of Equifax, one of the largest U.S. credit bureaus, in which some 143 million consumers lost personal information.
The article adds that experts said cybercriminals may employ data gathered from the Marriott breach and cross-reference it with information from a host of other breaches, including from Equifax, to create more robust profiles of potential crime targets.
Among those likely to be affected are business travelers, they said. British Airways and Cathay Pacific airline disclosed breaches this year, and the hotel companies Radisson, Intercontinental and Japanese-owned Prince also suffered hacks.
“It’s people that have a higher net worth,” Ryan Wilk, a vice president at NuData Security, a MasterCard company told McClutchy DC Bereau, “Business travelers are a little more affluent than the average.”
Data stolen from airline and hotel chains “contains a treasure trove of information that hackers can use to build sophisticated, comprehensive dossiers” on victims, added Rusty Carter, vice president of Arxan Technologies, a San Francisco-based company.
Criminals working with hackers could seek to track the travel plans of individuals.
“The burglary angle is also an important one to note. If I know where you live, which is captured in the billing address, and I know where you’re going to be and when, there is potential on that front,” Carter said.
An issue of national security
The article points out that criminals rarely obtain passport data, and the loss of the data has implications not only for identity theft but also national security.
“They have right now enough data to go and apply for a replacement passport, due to ‘my passport being lost.’ They would have your Social Security number from past hacks,” Striem-Amit said.
The coming year might even see an uptick in criminal efforts to defraud the Internal Revenue Service, experts said, as hackers file fraudulent claims in the name of consumers.
“You file someone else’s taxes,” said Wilk. “You hope they are getting a nice big return. The true owner of the information is kind of out of luck.”
See you in court
The article points out that the breach drew new calls for regulation from Capitol Hill and an immediate class-action lawsuit against Marriott.
“This latest incident should strengthen Congress’ resolve,” Sen. Mark Warner, vice chairman of the Senate intelligence committee told the press. New data security laws should “ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”
The article adds that two men, one from West Virginia and another from Illinois, filled the class-action suit in federal court in Maryland to recover damages caused by the breach.
Marriott said it received an internal alert on Sept. 8 regarding the Starwood guest reservation database, and conducted an internal probe. It didn’t explain the delay in informing consumers.
“Almost three months went by where they knew that half a billion people had their information stolen, including passport numbers, and they spent three months trying to figure out exactly what the press release should say,” said Brian Vecci of New York-based Varonis, a data protection and analytics company. “It’s mind boggling.”
“We need stronger consumer protections for exactly this kind of reason. Companies can’t wait months to disclose,” Vecci added.
The article adds that since Marriott is a global company, it could face financial penalties of up to 4 percent of its global annual revenue if found to be in breach of Europe’s stiff General Data Protection Regulation, or GDPR, that went into effect in May. GDPR requires companies to inform regulators of data breaches within 72 hours.
Marriott is only the latest in a drumbeat of breach announcements. Just this week Dell, a computer company in Round Rock, Texas, and Atrium Health of Charlotte, North Carolina, disclosed breaches. In Atrium’s case, 2.65 million people lost personal data, including in some cases Social Security numbers.