On November 30, 2018, Marriot International announced one of the largest data breaches in history. The amount of data was massive given that the breach lasted across a period of over four years. And it wasn’t just any data : payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.
Recent testimony by Marriott’s CEO, Arne Sorenson, (full testimony available here) has disclosed new details about the data breach announced last year. I’ve been following this closely to learn from this historic breach and understand if, and how, it could have been avoided. Let’s take a look at what happened now that we have more details.
Here’s what Sorenson told the Senate Committee on Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations last week. The hack originated at Starwood’s reservation system. Marriott acquired that hotel group in September 2016, but the intrusion went undetected until September 8, 2018, when it was contacted by the IT company managing its Starwood guest reservation database.
On September 10, Marriott called in third-party investigators to investigate whether it had been breached. Soon afterwards, malware on the Starwood IT systems was found: A Remote Access Trojan (RAT), which allows hackers to covertly access, surveil and gain control over a computer.
According to Sorenson’s latest statement, 383 million guest records and 18.5 million encrypted passport numbers were breached. Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers.
The details of the Marriott breach were bad enough on the surface – but it could have been avoided.
During his testimony (min. 6:30), CEO Arne discussed Marriott’s strategy moving forward. As their highest priority, Marriott will now rely on encryption and tokenization tools to secure all data they currently keep in the space.
I’d like to point out two critical aspects on the breach and Arne’s hearing.
There are various deidentification methods available today and best practices on when it is best to apply these techniques. Some of these methods include:
Moving forward Marriott has announced that they will be using one of these techniques.
Some of the biggest breaches we have seen are Google, Uber, Sak’s Fifth Ave, Facebook. Even government agencies haven’t been immune from this. In conclusion, no industry or organization is immune to data breaches that expose sensitive information. Many of the Fortune 200 companies are global in nature, and sensitive customer data is always moving across the enterprise. Organizations, much like Marriott, are looking for a better way to maximize both the security and usability of sensitive data.
Global enterprises should be using vendors and tools with a holistic approach to design a data-first security approach which does all of the following:
Stay tuned for my next blog which will be focused on demystifying data protection methods. In the meantime, I’d love to hear your feedback and thoughts about this and other data breaches. What challenges are you encountering to protect your sensitive data? How are your concerns about exposing your sensitive data hindering your expansion in the cloud? I’m looking forward to connecting, learning about your data security and sharing models and best practices about data first security.