News of the Marriott hack, which looks to be the second-largest data breach in history, has led to exasperation from the cybersecurity industry.
The breach, which saw a slew of personal details, including passport numbers, dates of birth and financial data exposed over a period of four years, is notable for both the length of exposure, and the number of people – 500 million – impacted.
“If 500 million individual guests were indeed impacted by this breach, it will make it one of the most significant data security incidents that we have seen to date,” explained Ed Macnair, CEO of CensorNet.
“While it is still yet to be determined exactly what information has been accessed, it seems likely that there is a huge amount of data involved – including payment details – and anyone who has stayed with the hotel chain in recent years has good reason to be concerned.”
The latest in a long line of mega breaches
This is the latest in a long line of high-profile breaches to hit this year, and with so many people impacted, Sam Curry, chief security officer at Cybereason, argues that the severity of this incident fails to resonate.
“With mega breaches like this one, in general we have become desensitised with the astronomical numbers,” he said.
“What does 500 million, 1 billion or 5 million names mean as when we start to get this high it’s likely that every living human on the face of Earth has been hacked?”
Shock over four-year time period of Marriott hack
While the 500 million affected is undoubtedly shocking, the length of time the hackers had access to company systems was arguably more concerning.
“This breach occurred in 2014 and attackers have had access until it was discovered around September 10th 2018,” said Simon Roe, product manager at Outpost24.
“We regularly hear that the average time to detect a breach is 200 days, but rarely do we hear they go unnoticed for 4 years!”
“This indicates that as far as security monitoring and being able to respond in a timely and adequate fashion, Marriott had severe challenges being able to live up to its mission statement of keeping customer data safe,” added Tom van de Wiele, security consultant at F-Secure.
Attacking the soft underbelly
For the cybersecurity community, the choice of target by the perpetrators of the Marriot hack highlights the risks posed by failing to adequately protect backdoors into company systems.
In Marriot’s case, the attackers gained access via Starwood, a company acquired by the hotel corporation several years ago, which appears to have lower levels of security than its parent.
“This is a common trend where it’s usually not the main company that is targeted but rather attackers aim to compromise the softer underbelly of the organisation, which are usually IT service providers, contractors and other entities with a high number of interactions within the company,” said van de Wiele.
“Things like the integration of IT systems and the security thereof take a lot of time between two companies that have to merge requirements, security policies, IT environments, technology stack and company cultures. Some risks are addressed, others are excepted.”
For Jake Alcott, VP of strategic partnerships at BitSight, it is also evidence of how important cybersecurity due diligence is when acquiring companies.
“This is yet another example of why it is critical that companies perform cybersecurity analysis during the due diligence period, prior to an acquisition or investment. Traditionally, companies have approached cyber risk in acquisitions by issuing questionnaires to the target company; unfortunately, these methods are time consuming and reflect only a ‘snapshot in time; view,” he said.
“Understanding the cybersecurity posture of an investment is critical to assessing the value of the investment and considering reputational, financial, and legal harm that could befall the company.”
Marriott hack fallout
Breaches are often harmful to an organisation’s reputation, and the Marriott hack in unlikely to be any different.
“With a real treasure trove of valuable personal information having been lifted, this is undoubtedly going to damage the Marriot Starwood brands, and could have a significant direct impact for their affected customers identity assurance,” said Matt Walmsley, EMEA director at Vectra.
For those affected, however, it is sensible to stay vigilant.
“There is likely to be more information about exactly how this breach happened emerging over the next few weeks but, in the meantime, anyone that has been effected by this breach – or thinks they may have been – would be well advised to sign up with a credit checking service to make sure their details haven’t been used untowardly,” said Macnair.
“It would also be sensible to change passwords for other accounts that used the same log-in details.”