[BreachExchange] Marriott data breach shows cyber security risks of mergers

[Destry Winant]

https://www.enterprisetimes.co.uk/2018/12/03/marriott-data-breach-shows-cyber-security-risks-of-mergers/

Marriott International has disclosed one of the largest data breaches
on record. More than 500 million customers of its Starwood division
were exposed to hackers for more than four years. This means that the
hackers were already inside the Starwood system prior to the agreement
by Marriot to buy SPG. As with the Verizon acquisition of Yahoo, it
shows the need for a full cyber security audit as part of any merger
agreement.

In its formal statement, Arne Sorenson, Marriott’s President and Chief
Executive Officer said: “We deeply regret this incident happened. We
fell short of what our guests deserve and what we expect of ourselves.
We are doing everything we can to support our guests, and using
lessons learned to be better moving forward.

“Today, Marriott is reaffirming our commitment to our guests around
the world. We are working hard to ensure our guests have answers to
questions about their personal information, with a dedicated website
and call center. We will also continue to support the efforts of law
enforcement and to work with leading security experts to improve.
Finally, we are devoting the resources necessary to phase out Starwood
systems and accelerate the ongoing security enhancements to our
network.”

What do we know so far?

On 30th November, Marriott issued a press release saying that it had
discovered a data breach of the Starwood guest reservation system. The
breach contained customer information for those who stayed at a
Starwood property between 2014 and September 10, 2018.

Marriott claims that the first it knew of the problem was a security
alert on September 18. It started an investigation that took until
November 19 to determine that a breach had been caused. The
investigation uncovered an encrypted file on the Starwood systems.
Marriott staff, or their security contractor, decrypted that file. It
was found to contain customer data at which point the company started
to notify regulators.

So far, the investigation has identified the details of 327 million
guests. The details in the file, and presumed in the hands of hackers,
include:

- Name
- Mailing address
- Phone number
- Email address
- Passport number
- Starwood Preferred Guest (“SPG”) account information
- Date of birth
- Gender
- Arrival and departure information
- Reservation date
- Communication preferences

The company also admitted that the information also includes payment
card numbers and payment card expiration dates. While it claims the
payment card numbers were encrypted using Advanced Encryption Standard
encryption (AES-128) it also admits that the keys to decrypt those
payment cards may also have been stolen. If so, this makes the breach
significantly worse as it shows the hackers had complete access to all
company information.

Why was this not detected earlier?

That is a question that everyone wants the answer to. The attackers
had been inside the Starwood system for at least a year before
Marriott and Starwood announced the acquisition in November 2015. The
deal took 10 months to complete and cost Marriott $13 billion.
However, while the formal paperwork was complete, the IT systems
integration has been an ongoing challenge.

In Sorenson’s statement he admitted that the systems were not
integrated. Integrating complex systems is never easy. In this case,
it was not just core booking systems but management systems and reward
membership schemes that needed to be integrated. Starwood also had a
problem with integration. The Club Carlson systems were separate from
the Starwood systems as were those of other hotels. This may have
added to the complexity for the IT integration team.

Part of the IT integration project should have been the security and
safety of data. It is clear that there was no security audit of the
Starwood systems. This is something that regulators and shareholders
will want to know about. This is something that was not done. After
the problems with undisclosed breaches that Verizon found when it
acquired Yahoo, a security audit of any acquisition target should be a
priority.

Ongoing challenges with this acquisition also reared their head at the
Marriott August earnings call with analysts. The company admitted that
completing the integration was causing issues. However, it sought to
focus that call on quality and the disposal of properties that didn’t
meet its standards. Little was said about the IT challenges or that
those systems were still not integrated almost two years after the
deal closed.

What does the industry say?

Unsurprisingly, there has been a huge response from cyber security
vendors and other industry commentators. The biggest issue for most
seems to be the length of time that the hackers operated freely inside
Starwood systems. There is also concern that they may have already
migrated across into the Marriott systems. This could have occurred
during the merging of the rewards databases and other systems that
have already been integrated.