author photo
By Bruce Sussman
Fri | Nov 30, 2018 | 7:45 AM PST

Marriott says a huge database with information on approximately 500 million guests was breached and the information was copied and likely stolen.

It was the company's Starwood reservations database that was breached.

"If you made a reservation on or before September 10, 2018, at a Starwood property, information you provided may have been involved," the company says in its breach notice.

What kind of data was stolen in the Marriott Starwood breach?

The company says the database includes names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.

For some, the information copied also includes payment card numbers and expiration dates, although that part of the data was encrypted.

Marriott also says illegal access to the database apparently began in 2014 but was only recently detected when an internal security tool alerted the hotel's cybersecurity team.  

Those responsible for the breach had also encrypted a copy of the database and were removing it. Cybersecurity experts had to break through the encryption to figure out what the database contained.

Only then did they realize it was Starwood's massive reservations database. 

Why did cybercriminals encrypt the data?

"Exfiltrating the data inside encryption may have been an attempt to circumvent security controls such as data loss prevent systems," says  Chris Morales, head of security analytics at Vectra.

"Having systems watch for exfiltration like behaviors, rather than trying to inspect the data payloads can provide a way for handling this challenge."

And Morales also offers insight on the timing involved:

"It’s not yet clear exactly what tool flagged the attack but it’s reasonable to believe, based upon their publish description, that it was only detected late in the attack lifecycle. Attackers generally have to make multiple steps and behaviors before they are able to steal or manipulate behaviors. Therefore, detection of these early stage behaviors is key.

 This breach also demonstrates that incident response continues to take too long, and in many cases the result is security teams trying to figure out “what just happened, how do we stop it happening again?” rather than spotting, understanding and closing down an attacker earlier in its lifecycle to minimize or stop a breach occurring."

The breach involves those who have stayed at the following Starwood hotel brands:

     • W Hotels
     • St. Regis
     • Sheraton Hotels & Resorts
     • Westin Hotels & Resorts
     • Element Hotels
     • Aloft Hotels
     • The Luxury Collection
     • Tribute Portfolio
     • Le Méridien Hotels & Resorts
     • Starwood branded timeshare properties
     • Four Points by Sheraton and Design Hotels that participate in SPG

Customers who have stayed at Starwood properties are being offered free credit monitoring, and the chain has set up a dedicated data breach call center to answer questions. 


Marriott getting rid of database, adding security

Marriott, which merged with Starwood in 2016, says it "is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."

In a case like this, questions arise: Was it an inside job by a rogue employee or an outside hacker who wants to sell your information on the Dark Web?

SecureWorld will be watching for the answer.