On November 30th, Marriott announced that a guest reservation database on the Starwood side of its business had been breached. Initial reports indicated that upwards of 500 million individuals were affected. The stolen data includes quite sensitive information, such as guest passport details and, likely, payment card information. Although it will probably take time before we fully understand the details of the incident – which appears to have continued unabated since 2014 – there are lessons that we can learn from the details already in the press.
The incident reportedly was noticed when a security tool detected an unauthorized access attempt on September 8, 2018. This begs the question: What technology was the organization using before this period? And also, how was it being used? Technology is not a silver bullet for network and data management. Lesson #1: It is critical for the human side of the equation to be actively involved in reviewing network activity.
Improper access over such an extended period makes a bad story worse. Lesson #2: Companies should make sure that they conduct ongoing reviews of what information is being accessed, by whom, and for what purposes. Technology such as data-loss prevention tools can also help identify when particular information is leaving a network. It also appears that, in this case, the bad actors had copied and encrypted information before attempting to remove it.
News reports suggest that the encryption keys protecting guest payment card information may themselves have been compromised, in part, because these keys were in the same database. Lesson #3: Firms should be sensitive to storing encryption keys apart from the data and ensuring the encryption of those keys.
There’s a high likelihood that this breach impacts guests traveling in the EU or making reservations from Europe. Lesson #4: With the breach notice requirements and potentially high fines under the EU General Data Protection Regulation, firms need to be alert to incidents beyond just the U.S.
As we have discussed before, it will be interesting to see who in the C-suite – and, potentially, the Board of Directors – leaves the organization. This event is simply too significant for senior management to avoid being held accountable. Lesson #5: Astute companies should make sure that information governance and security receive support and oversight from leadership and the Board. This requires not simply the allocation of financial resources, but active questioning and assessments of where practices stand against recognized security benchmarks, such as the NIST guidance.
We can expect that Marriott has substantial cyber risk insurance, as should most organizations. However, firms must recognize that the costs arising from a significant incident will dwarf most policies. Lesson #6: Simply the existence of cyber policies should not lull company management into believing that their financial risk is entirely covered. Plaintiff class action cases were filed within 24 hours.
And we can be sure that, soon after the breach was discovered by Marriott, the company’s corporate lawyers were reviewing the reps and warranties from the Starwood acquisition. Given that the access dates back four (!!!) years, this was unfolding before and during that transaction.
All told, it will be some time before we have all the facts, or at least the ones that Marriott chooses to disclose publicly.