The Aftermath Of The Massive Marriott Data Breach
Task Force 7 Radio Host Talks Breach and GDPR Implications
Add bookmarkOne of the fallouts from the Marriott International data breach is possible violation of the GDPR and if so, how European regulators are going to handle fines. The massive breach was the topic of a special edition of Task Force 7 on Sunday night, with host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies.
Rettas took to the airwaves for an extra scheduled episode 59 to discuss the implications of the breach, which Marriott revealed late last week. The hotel conglomerate reported hackers had breached its Starwood reservation system and stole the personal data of up to 500 million guests.
Ominously, Rettas said the breach will likely “facilitate decades of fraud against unsuspecting Marriott customers, who will probably never realize that the identity and financial crimes being committed against them is a direct consequence of their stay at a Marriott hotel.”
Customers could be financially impacted if they stayed at any Marriott-owned Starwood hotels, including Sheraton, Westin, the W hotels, the St. Regis, Four Points, Aloft, Le Meridian, Tribute, Design hotels, Elements, and the Luxury Collection, he said. Marriott reportedly discovered the breach into one of their databases in September, and then hired a cyber investigations and forensics company to investigate what happened to its systems.
“What they discovered was that the bad guys have had persistent access to Marriott's systems since 2014, meaning that some nefarious characters were roaming around Marriott systems for four years, without Marriott's information systems or security professionals detecting the breach,” Rettas said.
GDPR Implications
Rettas spent time discussing whether Marriott will be subject to the GDPR, which took effect on May 25, 2018. Under the GDPR guidelines, organizations are required to provide a 72-hour notification of any potential breach to European regulators.
“I'm unsure whether this requirement was met by Marriott,” he said, “although Marriott has released a statement saying they did everything they were supposed to do at every single step of this incident, including at some point notifying the FBI.”
Companies can be fined up to 4% of global revenue for a violation of European privacy and protection laws.
The data the hackers accessed includes customers’ names, addresses, phone numbers, birth dates, email addresses and encrypted credit card data, he noted.
“Apparently, Marriott is still determining if the bad guys have the keys to decrypt the encrypted card data and the encrypted credit card numbers, which would be good to know,’’ Rettas said.
He talked about Marriott’s response to the hack and how the company has given all customers an opportunity to sign up for a monitoring service called Web Watchers, which “monitors nefarious websites for the sale or exchange of your data. Then they'll notify you if some evil or wicked force possesses some or most of your personal information.”
Rettas said he “found the choice of monitoring [services] interesting, but something smart that Marriott did, and learned from some other recent high-profile breaches, is that they made public the email address that they will be using to reach out to customers affected by the breach, as early as next week.” That email address is: starwoodhotels@email-marriott.com.
“Now the reason they do this is because other miscreants and scammers across the world are going to try to take advantage of the situation, by launching massive phishing attacks against unsuspecting consumers, because the attack has been really widely publicized,” Rettas said. He advised listeners to be aware of any emails they receive from an address other than starwoodhotels@email-marriott.com, notifying them that they are a victim of the Marriott breach.
“Whatever you do, don't click on any links or open any executables from that email,’’ he stressed. “It's highly likely that that email is a fraud.”
Will The Breach Pack A Financial Punch?
Rettas said the intrusion was discovered by Starwood, which was acquired by Marriott in 2016, for $13.6 billion. So far, he noted, there has been “no huge devastating hit to the stock.”
He compared the Marriott breach to the one Equifax suffered in 2017, and how, in the aftermath, shares of Equifax fell more than 35% after the company disclosed it. While noting that he’s not a financial analyst and doesn’t give financial advice, Rettas said he believes “The company's not in big trouble, especially if we look at how these types of incidents have affected the finances of other companies who have experienced similar incidents in the past.”
Equifax, he said, “actually made a lot of money off the breach on identity theft services they offered to victims after the breach occurred, through their partnerships.”
Rettas also cited a Nov. 30th article in Barrons.com, which quoted JP Morgan analyst, Joseph Greff as saying, "Our general view is that any damage done to Marriott's brand longer term, will likely be minimal, if at all,” and that the breach isn't as dire as the Equifax breach.
“I don't actually get the statement about the breach being not as dire as Equifax's breach. By all accounts, this was a monster breach,” and it should not be minimized, Rettas said. “In fact, it's second only to the 2013 Yahoo breach that affected three billion user accounts.” However, he said he agrees with Greff's assessment that consumers are growing numb to these events and wondered where the consumer outrage is.
What’s Next?
Rettas then flipped the conversation to the fact that intelligence officials have said the stolen data has not appeared on the dark web. “It's possible that because we haven't seen the stolen data from the breach appear for sale in the dark sewers of the underground, that the motive of these bad actors might not be financial,’’ he explained.
“When we look at our threat actor taxonomy, this type of event fits two out of the five groups of adversaries very well,” he said. The five groups are usually: organized crime, nation states, terrorists, hacktivists, and insiders. “This type of incident usually involves organized crime or nation states.”
Some industry professionals are leaning toward the actors being a nation state, he added. Rettas cited three reasons: the first is that it appears the actors were not seeking financial gain; secondly, they were able to maintain a persistent presence in Marriott's networks for over four years, which he said usually indicates “that you're probably dealing with someone who is a very sophisticated adversary.” Finally, he observed that intelligence analysts have long said that nation states have been trying to gain a foothold in the hospitality industry, to monitor the movements of persons of interest, purely for intelligence purposes.
“This type of breach fits that scenario quite well, in my opinion,’’ he said.
Now, the company can expect to see “lawsuits galore,’’ he said. Rettas wondered aloud if this will “finally prompt lawmakers to pass laws to severely punish companies who fail to protect their data?”
He cited several newspaper articles that all speculated on why the breach wasn’t discovered sooner. “All the Monday morning quarterbacking being done here, literally within hours after Marriott announced the breach, is kind of juvenile to me,’’ Rettas said, pointing out that anybody who listens to this show knows he is a big privacy advocate.
“To be making statements about Marriott's security program, or how serious they take their security program this early in the game, is just plain irresponsible,’’ he stated. “There's not a lot of information about Marriott's information and security program right now, what their construct was, their budget, and leadership and governance models, their human capital resources, their security technology stock.”
The public also doesn’t know if a known vulnerability was used to gain access, or a zero-day exploit, he added.
“Statements like this are purely agenda-driven, to fit a certain narrative,’’ Rettas said. “They really lack some credibility in my mind ... They're usually made by people who don't really understand computer systems and security.”
He also said, “Taskforce 7 is the advocate for the cybersecurity professional.” Even though cybersecurity professionals often “pound on their chest and shout out from the rooftops their technical prowess” Rettas pleaded with the audience to “exercise some restraint.”
There's plenty of time for criticism later, if required, Rettas said, but any “battle-tested cybersecurity executive” knows a breach must be made public well before a company is prepared to do so because of regulatory laws and requirements.
At the end of the show, Rettas issued a warning.
“One more thing folks, be careful what you say,’’ he advised. “Everyone is going to have a bad day in this environment, it's inevitable … someday, it's going to be your turn to hit the 24-hour news cycle. What you say today may very well come back to haunt you.” Just think about that. Be smart. Let's learn from this together, as we gather more information over the coming days and weeks.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub. To listen to this and past episodes, click here.