Marriott International suffers data breach - again
On 31 March, 2020 Marriott International announced that it had notified some of its guests of a data breach. Approximately 5.2 million guests were involved, the hotel chain said. Marriott International has a portfolio of more than 7,300 properties under 30 brands spanning 134 countries and territories.
Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels, the company explained. An "unexpected amount of guest information" stored in this application may have been accessed using the login credentials of two employees at a franchise property, Marriott said in a statement. The breach was found at the end of February 2020, and was likely to have occurred in mid-January 2020.
Marriott confirmed that the login credentials were disabled, began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.
The information which might have been accessed, if present for the guest, could include:
- Contact details (e.g., name, mailing address, email address, and phone number)
- Loyalty account information (e.g., account number and points balance, but not passwords)
- Other personal details (e.g., company, gender, and birthday day and month)
- Partnerships and affiliations (e.g., linked airline loyalty programmes and numbers)
- Preferences (e.g., stay/room preferences and language preference)
Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s licence numbers are unlikely to have been stolen, Marriott said. Marriott Bonvoy is Marriott's travel programme.
Marriott has emailed the guests involved. Guests can visit a dedicated website with additional information plus access call centre resources via numbers listed on the website. The email sent to guests and the website also contain steps guests can consider taking. They can further enroll in a personal information monitoring service that Marriott is providing.
Marriott also said that it is working with its insurers to assess coverage. The company does not believe that total costs related to this incident will be significant. The breach follows another cybersecurity incident in 2018 which impacted 500 million guests.
Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group commented, "This data breach at Marriott International highlights the importance of performing a detailed threat model on business operations and then implementing appropriate monitoring controls to ensure that threat vectors can be quickly identified.
"In this case, the attack vector was via compromised employee credentials. Those credentials provided access to guest services within individual properties under the Marriott brand. Since employees often have access to sensitive customer data, creating appropriate alerts to detect credential misuse is particularly difficult.
"Examples of behaviours to look out for include: time of day (i.e., is the employee clocked in), scope of access (i.e., is the accessed data outside of their normal role), and volume of data (i.e., is the access consistent with how an employee would access data to address customer requirements). Implementing such controls requires organisations to look not only at the application security and how its deployed, but the intended usage patterns incorporating human factors data."
Darktrace's Director of Strategic Threat Marcus Fowler said, “The hospitality sector is already under immense strain, but cybersecurity needs to remain a priority even during this challenging moment. This breach should serve as a wakeup call to all in the hospitality sector – and other industries being negatively impacted by the pandemic – that they are still targets.
"Attackers won’t wait to attack until business has stabilised, or until security and IT teams have completed the transition to remote work. Instead adversaries will look to use this uncertainty and upheaval to their advantage – striking while businesses are struggling to adapt.
"These organisations also still have information that is valuable to cyber actors. In this instance it was the contact information of 5.2 million customers, which attackers can use to launch targeted email campaigns. Unfortunately, the risks of business email compromise are exacerbated when employees are working remotely, and are hungry to receive information from colleagues or updates from their company."
Fowler said employees need to remain on high alert for targeted phishing campaigns while businesses need to find ways to support their security teams. "Technology like artificial intelligence (AI) that can streamline investigations and stop attacks before they can do damage can buy back valuable time for overwhelmed teams,” he said.
Hotels operated and franchised under Marriott’s brands use an application to help provide services to guests at hotels, the company explained. An "unexpected amount of guest information" stored in this application may have been accessed using the login credentials of two employees at a franchise property, Marriott said in a statement. The breach was found at the end of February 2020, and was likely to have occurred in mid-January 2020.
Marriott confirmed that the login credentials were disabled, began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.
The information which might have been accessed, if present for the guest, could include:
- Contact details (e.g., name, mailing address, email address, and phone number)
- Loyalty account information (e.g., account number and points balance, but not passwords)
- Other personal details (e.g., company, gender, and birthday day and month)
- Partnerships and affiliations (e.g., linked airline loyalty programmes and numbers)
- Preferences (e.g., stay/room preferences and language preference)
Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s licence numbers are unlikely to have been stolen, Marriott said. Marriott Bonvoy is Marriott's travel programme.
Marriott has emailed the guests involved. Guests can visit a dedicated website with additional information plus access call centre resources via numbers listed on the website. The email sent to guests and the website also contain steps guests can consider taking. They can further enroll in a personal information monitoring service that Marriott is providing.
Marriott also said that it is working with its insurers to assess coverage. The company does not believe that total costs related to this incident will be significant. The breach follows another cybersecurity incident in 2018 which impacted 500 million guests.
Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group commented, "This data breach at Marriott International highlights the importance of performing a detailed threat model on business operations and then implementing appropriate monitoring controls to ensure that threat vectors can be quickly identified.
"In this case, the attack vector was via compromised employee credentials. Those credentials provided access to guest services within individual properties under the Marriott brand. Since employees often have access to sensitive customer data, creating appropriate alerts to detect credential misuse is particularly difficult.
"Examples of behaviours to look out for include: time of day (i.e., is the employee clocked in), scope of access (i.e., is the accessed data outside of their normal role), and volume of data (i.e., is the access consistent with how an employee would access data to address customer requirements). Implementing such controls requires organisations to look not only at the application security and how its deployed, but the intended usage patterns incorporating human factors data."
Darktrace's Director of Strategic Threat Marcus Fowler said, “The hospitality sector is already under immense strain, but cybersecurity needs to remain a priority even during this challenging moment. This breach should serve as a wakeup call to all in the hospitality sector – and other industries being negatively impacted by the pandemic – that they are still targets.
"Attackers won’t wait to attack until business has stabilised, or until security and IT teams have completed the transition to remote work. Instead adversaries will look to use this uncertainty and upheaval to their advantage – striking while businesses are struggling to adapt.
"These organisations also still have information that is valuable to cyber actors. In this instance it was the contact information of 5.2 million customers, which attackers can use to launch targeted email campaigns. Unfortunately, the risks of business email compromise are exacerbated when employees are working remotely, and are hungry to receive information from colleagues or updates from their company."
Fowler said employees need to remain on high alert for targeted phishing campaigns while businesses need to find ways to support their security teams. "Technology like artificial intelligence (AI) that can streamline investigations and stop attacks before they can do damage can buy back valuable time for overwhelmed teams,” he said.
Comments
Post a Comment