Marriott International has suffered another data breach. It is the second time in two years that the company has had user data stolen. This latest breach affects 5.2 million customers and took place over six weeks, starting in mid-January 2020.
In its warning to customers over the breach Marriott wrote: “Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels. At the end of February 2020, we identified that an unexpected amount of guest information may have been accessed using the login credentials of two employees at a franchise property.
“We believe this activity started in mid-January 2020. Upon discovery, we confirmed that the login credentials were disabled, immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests.”
There is a dedicated website, set up by Marriott, where it details what data it believes was taken by the criminals. It also lists the actions Marriott is taking and contains an FAQ to answer some of the more likely questions from customers.
One of the key things mentioned in the site is the email address that Marriott will use to communicate with customers – email@example.com. It is a smart move. As the stolen data includes customer email addresses, they will be susceptible to phishing attacks. By making the contact address public, Marriott is seeking to reduce the risk of customers responding to fake emails.
What data was stolen?
Marriott has provided a list of the data it believes was stolen. It goes in to say that not guests had all that data recorded about them in the system.
- Contact Details (e.g., name, mailing address, email address, and phone number)
- Loyalty Account Information (e.g., account number and points balance, but not passwords)
- Additional Personal Details (e.g., company, gender, and birthday day and month)
- Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
- Preferences (e.g., stay/room preferences and language preference)
It has also published a set of telephone numbers for customers to call to get more information about the breach.
|Rest of the World (toll may apply)||+1-402-952-5356|
What should you do?
There are several actions that Marriott customers can take.
- Change your Marriott Bonvoy password: This can be done through the app or by logging into the online system. At the moment, there is no evidence or claims that users are being locked out of their accounts. However, it would have been better if Marriott had blocked all existing passwords and forced users to do a password reset. At that point, it could have added multi-factor authentication to improve security.
- Check your credit card statements: It is always good practice to monitor all credit and charge cards for unexpected entries.
- Check with Marriott: Marriott has a self-service portal (non-functional at the time of writing) that will confirm if your details were lost. While it is not working, Marriott says to call the numbers above, but the UK number meant holding for a long time.
- Register for fraud protection: Given the number of breaches over the past five years, most people should already be using fraud monitoring services. If not, Marriott is offering to pay for one year of IdentityWorks for any affected customer.
- Don’t respond to any email that doesn’t come from the email address firstname.lastname@example.org.
It is far from an exhaustive list but should be the first set of things that anyone does to protect themselves.
Marriot advice mirrors many of the steps above
- If you have a Marriott Bonvoy account but have not activated your online access to it and set up a password, you should do so now.
- Use good password management practices, including not using easily guessed passwords and not using the same password across multiple accounts.
- Monitor your Marriott Bonvoy account for any activity that you did not initiate and notify us of any suspicious activity.
- If we have determined that your information was involved in the incident, you will be prompted to reset your password and enable multi-factor authentication to further protect access to your account.
- You should not provide any information—especially payment card information, other financial account information, online account information, or passwords—to anyone who calls or otherwise contacts you purporting to be from Marriott or a Marriott brand hotel. Marriott will never call or email you to ask you to provide this information by phone or email.
- You should be vigilant against possible “phishing” emails that appear to be (but are not) sent from Marriott email addresses.
Cybersecurity industry unimpressed by another breach
Unsurprisingly, the cybersecurity industry has been unimpressed with Marriott. Most of the 35+ comments I’ve received have pointed out that serial breaches raise questions over governance. They have all talked about the need for users to take the steps above to protect themselves.
Another common theme is that the accounts compromised were privileged accounts that had access to so much customer data. Anyone who has worked in the hospitality industry will know that the data stolen is widely available to anyone working reception and booking. They use it to determine the room allocation for the customer and to check status such as free wifi, access to lounges and access to spas. As such, it is not restricted in access and attempting to do so would be difficult.
What is more important is not the access to view the data but access to export and download the data. It should have been highly restricted. Without it, the attackers would have had to display customer records and screen scrape the data making it a much longer and less efficient process.
“Vectra research shows that privileged access from unknown hosts occurs inside every industry, leading to unintended exposure of critical systems. Yet these privileged accounts rarely receive direct oversight or technical control of how they are used. If used improperly, privileged accounts have the power to cause much damage, including data theft, espionage, sabotage, or ransom.” – Chris Morales, Head of Security Analytics at Vectra.
“In the future, it is crucial that Marriott updates its data security to avoid being hit by a further breach. All organisations must understand exactly what data they have, where it is stored and monitor the access to it. Now that everyone is working from home, cyber security teams need to pay attention to unusual spikes in data access, so they can discover a security incident early and prevent data from leaking.” – Matt Middleton-Leal, General Manager EMEA & APAC, Netwrix
“The essential practices of protecting systems and applications are well known – they are enumerated in the NIST Cybersecurity Framework. Companies can choose to either proactively implement those practices consistently in their systems, or they can choose to be frequently compromised. There is no other alternative. This breach reflects a lack of doing the basics well, specifically two-factor authentication and user account activity monitoring. Either of these would have either prevented the breach by increasing the difficulty of stealing the credentials or by dramatically decreasing the scope of compromise. One would think that a franchise account looking up 5.2 million customer accounts was anomalous behavior.” – Kelly White, CEO, RiskRecon
“Marriott should be commended here despite suffering another breach of personal data. They were able to report on what information was taken and which customers were affected, and while there was certainly valuable data leaked, it sounds like this was relatively well-contained. A breach is never good news, but it’s a positive sign that they were able to keep tabs on their data and report the leak to authorities—transparency is critical when you’re dealing with data privacy.” -Brian Vecci, Field CTO at Varonis
Enterprise Times: What does this mean?
Expecting organisations to have no data breaches is naïve, especially when that organisation holds the type of personal information that hotel chains do. What is more important here is how that data is stored, accessed, and what security processes are in place. Marriott is learning. Last time it took years before the breach was noticed. This time it is just six weeks. It’s still too long, but it is an improvement.
There are serious questions to be addressed. White asks, why did it take so long to spot such anomalous behaviour? Other questions include: Were early warning signs ignored? Was the cybersecurity team understaffed? Did it have the right tools? Was there an external service provider responsible for cybersecurity? If so, this could have severe consequences for their business as other customers ask why they didn’t spot the breach. Of course, it could be they detected the breach, told Marriott and nobody acted. Either way, expect some finger-pointing to take place.
The question now is how long before the full forensic report appears? The previous report took just a few months and was ready when CEO Arne Sorenson, President & CEO of Marriott International, faced a US Senate Committee. This breach may require another visit to the committee but probably not.
Marriott has been quick to point out that it has insurance to cover all this. A comment intended to calm investors and the broader market. However, if the failure turns out to be something that should have fixed after the previous breach, insurers may not payout. Additionally, there is the question of regulatory fines. Governments are increasing the level of penalties for breaches. Last time the EU fined Marriott over $120 million. How much will this breach cost?