It’s probably as good a time as any to mention that releasing major breach announcements on Fridays is a worn-out trope by this point? That didn’t stop Marriott from announcing a breach of Starwood’s reservation system affecting 500 million people to kick off this Friday with a bang.
Another Friday Another Breach Announcement
If you weren’t planning on sharing four years of your travel history, personal information, and passport numbers with a nameless and faceless attacker somewhere in the world this morning, don’t worry: Marriott and Starwood took care of that for you. Marriott announced that it uncovered four plus years of a previously unknown, unexpected, and unauthorized data sharing program that includes travel details, passport numbers, and credit card data. 500 million of us (at least three of this blog’s authors included) found out this morning when Marriott announced a multiyear breach dating back to 2014. If that wasn’t bad enough, it appears that Starwood had a shockingly poor level of database and network security that allowed attackers to capture names, addresses, date of birth, passport numbers, communication preferences, arrival and departure information and so much more. The details are important, but to summarize the announcement: the attackers got everything they wanted.
Marriott has announced all the usual expected steps – it apologized, promised us it cares about security, provided a website and dial in number, and also offered credit monitoring. This is comforting for those of us that have credit monitoring from our employers and the other…15 or so breaches we’ve been a part of. At this point most of us can monitor our credit monitors to see how long it takes for changes to propagate between each one with the number of breaches we’ve been a part of.
Cybersecurity M&A Due Diligence Rears Its Ugly Head
Speaking of the Starwood acquisition, we can’t know the internal details of the due diligence process, but if any cybersecurity due diligence occurred it either didn’t work or was ignored. At the time of the acquisition, the attacker would’ve been resident in Starwood’s network for two years without being detected. However, there’s something more concerning here: Sure, the attacker was missed, but shareholders should be asking why the appalling level of database and network security was missed. Did Marriott know – or try to discover – that Starwood’s network and database security controls, processes, and governance made attacks like this possible over a sustained period of time? Did they know that an attacker could get access to the reservation system in the first place – where the “crown jewels” would obviously be – and upon obtaining access to that could snag almost every bit of customer data it held, and dwell there for multiple years without being detected?
The level of maturity of the security organization, gaps in processes, and issues with security technologies that missed these events should be part of any due diligence process, so the question becomes were they noticed or ignored? The strategic nature of M&A activity means cybersecurity might not stop it, but it certainly can lower the price and create arbitrage and risk transference opportunities as seen with Verizon’s’ acquisition of Yahoo when its data breach was discovered.
The Surveillance And Data Economy Problem
When companies collect massive amounts of data in the name of customer experience, they also accept the obligation and responsibility of protecting that data. In this case, Starwood – and Marriott by acquisition – failed spectacularly in that responsibility. Hopefully GDPR will bring the retributive justice hammer down on them and exact vengeance for the aggrieved – but not responsible and powerless victims – but that doesn’t make things easier for those whose data was caught in the breach. Consider the following:
- Travelers’ data is now in the hands of at least one set of attackers, possibly more. Your habits, destinations, frequently visited areas, preferred arrival times, and more is now out there without your consent. Four plus years of travel data on 500 million people is one massive data set for an evil data scientist to use to profile people. Companies involved in sensitive industries that have heightened physical safety risks will have to evaluate how this affects them. They made need to change travel habits or plans for key individuals that might be caught up in this breach.
- There are national security implications due to passport numbers and other details. This breach has major nation-state level consequences given the amount and type of data accessed by attackers. Any time passport data is part of a compromise you must factor in the potential ramifications. Resources at various agencies across the globe will now have to wait to receive details on what information was gathered by attackers and how that information could compromise existing operations or assets. Further, intelligence agencies around the world now have access to a treasure trove of information about travelers from adversary nations that can be used for their operations.
- It’s fine to buy this data, just not steal it. Unauthorized data sharing makes companies that sell data unhappy. But the fine print of the apps and promotions systems we sign up for force most of us to consent to the collection and sharing of this data. While GDPR and other regulations seek to empower consumers with opt-out and right to be forgotten, not everyone benefits from those protections. In this case attackers obtained customer data without Marriott or Starwood’s consent or knowledge, which raises an important question: what if Marriott intended to commercialize this data? Considering that most firms we work with today do just that, it would mean the loss of a massive revenue opportunity. In other words, this isn’t just a story about the kind of data stolen, it’s about the fact that the attackers failed to go through the proper channels to obtain it.
Brand Lesson: The Biggest Brand Always Gets Bloodied In A Breach
Notice how throughout this blog, the media, and social media that talks about this breach all mention Marriott, far more than Starwood. To be fair, this breach happened to Starwood, not Marriott. In fact, if you only stayed at Marriott properties you are unaffected. But that’s a lesson to every brand out there. Whether it’s an acquisition, merger, or simply a subsidiary the biggest brand will always get the most attention when a breach is announced. All of the momentum and energy your brand has gets sidetracked when a breach occurs – even if it didn’t happen to you. Collateral damage is real, exhibited by Marriott getting the blame for Starwood’s mistakes well before the acquisition. Some other key lessons follow:
- Cybersecurity Due Diligence: Pay Early or Pay Often. For Marriott, the price it paid for Starwood just went way, way up. Legal issues, regulatory problems due to GDPR (and more), breach investigation & notification services, remediation actions, and public relations costs just went skyrocketed and we are guessing those were unanticipated costs to Marriott’s bottom line for this year. We often mention that breaches have a long tail, and in this case the price Marriott paid for Starwood is far higher than what it originally promised shareholders due to the discovery of this incident. The lesson for everyone here is two-fold: cybersecurity due diligence in M&A is vital, and NOT paying for it at the time will make everything far more expensive later.
- Phishing Just Got Easier For Attackers. The amount and type of data obtained by attackers will make other compromises easier as well. If I know where you travel, how often, who you travel with, and how long you were there then my phishing, spearphishing, and social engineering attacks just became a whole lot more successful. You may not open up an email from someone you don’t know, but what about an email from the hotel manager thanking you for staying at a certain hotel a few times in the past year with a coupon attached? This an idea we came up with in two minutes, and we don’t do this every day like attackers do, so imagine what they will conjure up that you’ll click on. One breach leads to another…
- GDPR Is Now The First Thing Companies Think About After A Breach. Regardless of your personal feelings about GDPR, it is having an effect. Within minutes of this breach being announced everyone began to consider the implications of GDPR – if only Marriott had done the same! Since they are well past the 72-hour notification window for GDPR and many other breach notification laws (they discovered the on September 8), they’ve opened themselves up to more fines than necessary. But notification is only one of their problems. A Pandora’s box of violations is open now and the company will need to address questions about how they manage and govern personal data, including retention policies and more. And, since GDPR applies to all individuals that reside in Europe, many short-term visitors’ data is also protected. (BTW, when will Americans get something cool like GDPR??)
What It Means: The Basics of Defense Are Already Well Known and Easily Leveraged.
As the case has been for nearly every other mega breach in recent history the methods that the bad guys used to exploit this system weren’t magic. Basic database security protocols, good authentication, minimization of lateral movement and an understanding of how to apply technology strategically would have made a big difference. How many more failures must happen before those with the authority to make changes embrace security technologies aligned with strategic objectives? Using a digital clone of a network for testing and security optimization is a very real thing and if that approach had been leveraged during the M&A due diligence phase it’s very likely that the failures in configuration would have been noted and the exploitation could have been interrupted. Good security is not “hard” to figure out, the basics matter and using technology focused on a grander strategic initiative is what must happen.