The Marriott Breach: Lessons Learned for the Hotel Industry

The Marriott Breach: Lessons Learned for the Hotel Industry

By: Alex Shanteau, Senior Security Consultant, MAD Security | December 19, 2018 The massive breach of the reservation system for Marriott’s Starwood subsidiaries is no doubt one of the largest breaches to date and highlights some of the most prevalent security challenges for the hotel industry. As consolidation continues amongst hotel chains to achieve scale across more geographies, the likelihood of these types of breaches will continue to rise. In this post, I’ll analyze what exactly happened and how other hotel chains can avoid such breaches. On November 30, 2018 Marriott announced that “On September 8, 2018, (Marriott) received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database…Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.” Four years, that’s how long the attackers had been in their network. Technical details about the compromise were not disclosed, but I wonder if they just installed a monitoring tool and when they turned it on, they managed to finally see the indicators of compromise, or perhaps the attackers had been in the network for that long but hadn’t attempted to access or exfiltrate data. My next question is what’s the damage? “contains information on up to approximately 500 million guests” That is a lot of people, even larger than the Equifax breach at 148 million people.  So what kind of data did the attacker access? “the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date,...