This morning news publications across the country reported that Marriott International, the largest hotel chain in the world, suffered a massive data breach affecting over 500 million customers. It is highly likely that this breach impacted your organization or your employees. It appears that hackers breached the Starwood International reservations site and the breach was contained therein. According to Marriott, their standard Marriott reservation site was not impacted. Starwood International, which includes the Sheraton line of hotels, was a relatively recent acquisition for Marriott and the IT systems for booking has not yet been completely integrated.
Nevertheless, a records breach affecting over 500 million customers is massive and undoubtedly makes this one of the largest data breaches in history. Personally identifying information (PII) was among the data compromised, such as:
- Mailing Address
- Email Address
- Phone Number
- Passport Number
- Starwood Preferred Guest number and information
- Reservations Dates and Reservation History
- Arrival and Departure Information
- Encrypted Passwords
- Payment Card Data
The breach was detected by an internal security tool on September 8th, but Marriott security staff was not able to determine the content of what was stolen until November 19th. However, an internal investigation found that the breach may have occurred as long ago as 2014. That is an extremely long time for a hacker to be on a network without detection.
Marriott claims that any reservation in the Starwood network prior to September 10th, 2018 may have been compromised, suggesting that they disabled or removed the malware within those two days after discovery. However, as security practitioners know, incident response and remediation is a much longer process. Especially considering the length of time the hackers were on the network, it seems likely that they established numerous persistence points throughout, making remediation much more difficult and time consuming.
Impact and Remediation
The impact of this breach most specifically impacts individuals who have frequented the Starwood website and hotels, however there is significant impact for our customers and businesses across the globe as corporations engage in considerable business travel and are responsible for the safety and security of their employees travelling on their behalf. Many companies also have contracts with Marriott for discounted hotel rates or other benefits for their employees. Thus, companies and organizations may have also had some of their sensitive information compromised as it relates to business travel and should take steps to mitigate the damage.
Those impacted ought to take – at a minimum – the following steps to protect themselves:
- Change your password on your Starwood and Marriott accounts. If you use the same password for other applications and services, you ought to change those passwords too.
- If your credit card number is saved in your account for easy booking or simply just used a credit card for a reservation, you ought to contact your bank and request a new credit card. Monitor the activity on your account for fraudulent activity.
- Monitor your credit for any indications of fraud or identity theft.
- For any reservations not yet fulfilled that were booked before September 10th, use caution on the trip. Be security aware.
You should also expect phishing emails that look like they are coming from Marriott or Starwood. Please be cautious when opening any email regarding this topic. The difficult thing is that Marriott will likely legitimately be contacting affected individuals and companies via email. Marriott stressed that they will not be sending any attachments in their email. So if you get an email with an attachment do not open it. Also be very cautious clicking links. Even if you feel confident that the email you received is from Marriott, we suggest you read the email, but manually browse to any link it sends you to rather than clicking the link directly. The extra time and effort is worth the security. Next week, we will be posting a guide/reminder on how to identify phishing emails here on our Smarter Cybersecurity Blog.
Security On-Demand Actions
This Flash Alert was sent out as an informational service. We have no visibility into the Marriott breach directly. Nevertheless, we are monitoring the situation closely and our security operations center is looking for any indications of hackers using the stolen information to breach our clients. In particular, we are looking for unauthorized account logins, as hackers may attempt to use the passwords they stole from Marriott to log into accounts elsewhere.
An eye opening revelation from this Marriott breach is how long the hackers dwelled on the network before being discovered. We recently published a blog post on decreasing dwell time, called How Do You Know if You’ve Been Hacked? There are great tips in that post for ensuring you are finding data breaches and getting the hackers off your network as soon as possible.
About Security On-Demand
Security On-Demand is an industry pioneer and recognized innovator within the managed security space. We are leading the industry in threat detection through behavioral analytics and machine learning.