2018 was a busy year for retail in the cyber security arena, with many organizations suffering from data breaches during the year, including British Airways and Vision Direct.
British Airways suffered a sophisticated data breach affecting around 380,000 customers using its website and mobile app.
The attack – discovered on Wednesday 5 September 2018 – took place between 22:58 BST on 21 August and 21:45 BST on 5 September. Customer’s payment card details were breached but compromised data did not include travel or passport details.
“Between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November, the personal and financial details of some of our customers ordering or updating their information on Visiondirect.co.uk was compromised. This data was compromised when entering data on the website and not from the Vision Direct database. The breach has been resolved and our website is working normally.”
A total of 16,300 people were thought to have been at risk of the breach, although 9,700 of those did not have any financial data compromised. For the 6,600 others though, information including payment card numbers, expiry dates and CVV codes could all have been accessed.
The data was linked to customer’s updating their credit card payment options. For those people affected it was recommended to change passwords and contact their credit card providers in case they needed their cards reissued.
But they paled in comparison to the hack that Marriott Hotels experienced:
In November 2018, 500 Million (yes 500 Million) records from the Starwood reservation systems were reported to have gone missing at the Marriott International Hotel chain. It was confirmed that hackers had got into their systems over a 4 year period and stolen the records.
The names, addresses, phone numbers, birth dates, email addresses and encrypted credit card details of hotel customers were stolen. The travel histories and passport numbers of a smaller group of guests were also taken.
Unnoticed For 4 Years
The intrusion went unnoticed for four years by Starwood, which was acquired by Marriott in 2016 for $13.6 billion. It was uncovered in early September, when a security tool alerted Marriott officials to an unauthorized attempt to access Starwood’s guest reservation database. The alert prompted Marriott to work with outside security experts, who discovered that the hackers had been in Starwood’s systems since in 2014.
As of January 2019, “The company has concluded with a fair degree of certainty that information for fewer than 383 Million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database. According to our most recent investigative findings, the incident involved approximately 18.5 million encrypted passport numbers and approximately 5.25 million unencrypted passport numbers and approximately 9.1 million encrypted payment card numbers.”
Even with this slightly lower figure of 383 Million, Marriott wins the “We’ve had the most records stolen” award. 383 Million is still a massive amount of data.
What are the implications for Marriot?
The share price of Marriott dropped 5.6% after the breach was announced and the publicity that Marriott received was for all the wrong reasons. It seems the general public have short memories as the Marriott stock price is now higher than it was before the breach announcement.
Have Lessons Been Learnt?
In March 2019 CEO Arne Sorenson testified before a Senate Homeland Security Subcommittee investigating private sector cyber-attacks, saying that in the future all of the passport data it obtains likely will be encrypted. He also suggested that the chain will likely opt to store passport information at the property level instead of in a centralized database.
Starwood, traditionally collected passport information and transferred it to a centralized platform; Marriott likewise gathered passport data locally, but didn’t transfer the information to a centralized database.
He said storing the information locally would make it a smaller target for hackers, but on the other hand Marriott needs to ensure that it can provide adequate cyber security tools to properties to protect against further breaches.
Sorenson adds that ‘Beyond the steps taken to secure the Starwood network and the retirement of the Starwood Guest Reservation Database, we have accelerated our roll-out of endpoint protection tools to over 200,000 devices. Those tools allow real-time discovery of suspicious behavior on both the Starwood and Marriott networks and have next-generation anti-virus features. We are focused on identity access management, which means a broader deployment of two-factor authentication across our systems, as well as network segmentation, which means isolating the most valuable data so that it becomes more difficult for attackers to access the systems and for malware to spread through the environment.’
Prevention Is Better Than Cure
Whilst we will probably never know all of the tools that Marriott are implementing beyond Endpoint Protection we would suggest it should consist of at least some of the following:
- Breach Detection – find out straight away if your network has been breached
- Bot Management – Prevent Automated Attacks on Websites, Mobile Apps and APIs
- Web Application Firewalls – protect your webservers from attacks
- DDoS Mitigation – protection against DDoS attacks
- Endpoint Protection – protect endpoints to prevent data breaches