Marriott International has disclosed one of the largest data breaches on record. More than 500 million customers of its Starwood division were exposed to hackers for more than four years. This means that the hackers were already inside the Starwood system prior to the agreement by Marriot to buy SPG. As with the Verizon acquisition of Yahoo, it shows the need for a full cyber security audit as part of any merger agreement.
In its formal statement, Arne Sorenson, Marriott’s President and Chief Executive Officer said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
What do we know so far?
On 30th November, Marriott issued a press release saying that it had discovered a data breach of the Starwood guest reservation system. The breach contained customer information for those who stayed at a Starwood property between 2014 and September 10, 2018.
Marriott claims that the first it knew of the problem was a security alert on September 18. It started an investigation that took until November 19 to determine that a breach had been caused. The investigation uncovered an encrypted file on the Starwood systems. Marriott staff, or their security contractor, decrypted that file. It was found to contain customer data at which point the company started to notify regulators.
So far, the investigation has identified the details of 327 million guests. The details in the file, and presumed in the hands of hackers, include:
- Mailing address
- Phone number
- Email address
- Passport number
- Starwood Preferred Guest (“SPG”) account information
- Date of birth
- Arrival and departure information
- Reservation date
- Communication preferences
The company also admitted that the information also includes payment card numbers and payment card expiration dates. While it claims the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128) it also admits that the keys to decrypt those payment cards may also have been stolen. If so, this makes the breach significantly worse as it shows the hackers had complete access to all company information.
Why was this not detected earlier?
That is a question that everyone wants the answer to. The attackers had been inside the Starwood system for at least a year before Marriott and Starwood announced the acquisition in November 2015. The deal took 10 months to complete and cost Marriott $13 billion. However, while the formal paperwork was complete, the IT systems integration has been an ongoing challenge.
In Sorenson’s statement he admitted that the systems were not integrated. Integrating complex systems is never easy. In this case, it was not just core booking systems but management systems and reward membership schemes that needed to be integrated. Starwood also had a problem with integration. The Club Carlson systems were separate from the Starwood systems as were those of other hotels. This may have added to the complexity for the IT integration team.
Part of the IT integration project should have been the security and safety of data. It is clear that there was no security audit of the Starwood systems. This is something that regulators and shareholders will want to know about. This is something that was not done. After the problems with undisclosed breaches that Verizon found when it acquired Yahoo, a security audit of any acquisition target should be a priority.
Ongoing challenges with this acquisition also reared their head at the Marriott August earnings call with analysts. The company admitted that completing the integration was causing issues. However, it sought to focus that call on quality and the disposal of properties that didn’t meet its standards. Little was said about the IT challenges or that those systems were still not integrated almost two years after the deal closed.
What does the industry say?
Unsurprisingly, there has been a huge response from cyber security vendors and other industry commentators. The biggest issue for most seems to be the length of time that the hackers operated freely inside Starwood systems. There is also concern that they may have already migrated across into the Marriott systems. This could have occurred during the merging of the rewards databases and other systems that have already been integrated.
Jeff Pollard, VP and Principal Analyst, Forrester said: “Marriott and Starwood merged in 2016, but this breach goes back to 2014 per the details released. Since Marriott properties were not affected, this appears to have been solely a Starwood incident. That means it also went undetected during the merger and subsequent consolidation efforts. With all the M&A occurring, it highlights the importance of robust cybersecurity due diligence during the acquisition process.
“Marriott now faces brand and reputational damage, regulatory oversight and legal issues as the result of a cybersecurity incident that occurred two plus years before they announced the acquisition of Starwood. This reinforces the point Forrester often makes that cybersecurity breaches have a long tail, and this one will lead to unanticipated costs for Marriott.“
Simon McCalla, CTO of Nominet said: “The Marriott hack is the latest in a long line of hacks that would concern consumers across the world. But perhaps the most concerning part of this data breach is that, during their investigation into the cause, they found that there had been unauthorised access to the Starwood network since 2014.
“The company received an internal security alert in September of this year – four years after the initial breach. This paints a grim picture of the security system they had in place and how susceptible they were to threats from outside the business.
“Ensuring threat monitoring and security systems are able to catch threats when they first interact with your critical systems is vital. Proactive defence is better than retrospective and with 500m customers affected by this breach, Starwood Groups are finding this out the hard way.”
Enterprise Times: What does this mean
Any customers who stayed in a Starwood group property will be concerned especially given the credit card warning. International customers will also be worried over the loss of passport details. The group had a reputation across some its brands for attracting very high value guests.
The big issue here for Marriott is why this was not detected earlier? It is far too late to claw back some of the monies it paid for Starwood and even if it tried, it would have to explain why it failed due diligence. There will also be questions asked over the length of time between the security alert, the determination that this affected customer data and the reporting of the breach.
The long-term impact on customers will be where Marriott will focus. It has already suffered a backlash over the way it changed its rewards programme to reduce benefits to some customers, especially those that were in the SPG and Club Carlson programmes. With the admission that it has taken over three years for Marriott to detect this breach, customers will wonder what else is going to happen.
There are also questions over the decryption of the file. Hackers are adept at using strong encryption. Did Marriott pay hackers for the key or was this just a matter of inept hackers? That is something that regulators will also want to know.
Unsurprisingly, the lawsuits have already started to fly. Over the weekend, two separate lawsuits, both seeking class action status have been launched. Marriott will hope that there are no more skeletons in the Starwood cupboard.