“We need to stop making it so easy for hackers to break in to begin with, which means we have to fundamentally redesign our operating systems that are inherently built to allow hackers to run their programs on our system,” said Ian Eyberg, CEO of startup NanoVMs. He added, "The RAT (remote access trojan) program that Marriott found in 2017 could've been totally prevented from being installed if Marriott were using such a system. Thankfully we don't need a Manhattan Project for this. Such systems already exist; they're called unikernels."
“We can expect to see more issues like this until we start holding organizations accountable for data leaks,” commented Brian Johnson, CEO of DivvyCloud, a cloud security and compliance company. "Many of these leaks are due to human error and failure of standard corporate processes rather than a failure of technology. It is not a matter of if a misconfiguration will occur, but a matter of when it will occur and how quickly it will be discovered and exploited. Without standards and automation, companies are sitting ducks.”
He noted that organizations need to be able to constantly monitor all their data—whether the database is structured or unstructured. “The key to protecting consumer data is not by placing a firewall or a DLP but being able to make sure you continuously have the ability to discover data, classify it accordingly, and take actions on the data itself to prevent access or exfiltration of any valuable or sensitive information."
Marriott is providing guests the opportunity to enroll in WebWatcher for free for 1 year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found.
But, because the Starwood customer data had been compromised dating back to 2014, the most significant impacts from the breach are likely to have already occurred, said Travis Jarae, CEO of OWI, an advisory firm focused on trust and the data economy. As a result, Jarae added, “Post-breach monitoring services such as WebWatcher may do more harm than good by offering consumers a false sense of security. No monitoring service, no matter how robust, can offer consumers complete protection from the consequences of a data breach."
While Marriott said that it has not finished identifying duplicate information in the database, the company believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some Marriott customers, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), Marriott said, further explaining that there are two components needed to decrypt the payment card numbers, and that, at this point, the company has not been able to rule out the possibility that both were taken. For the remaining guests, Marriott said, the information was limited to name and sometimes other data such as mailing address, email address, or other information.
“The Marriott breach highlights a well-known vulnerability in enterprise application to database workflows. Unlike end-to-end encryption for messages, data in databases is only encrypted ‘at rest’ and not when it is in the database memory and when ‘in use.’ Hackers access data in the database memory in the clear when they obtain the administrator’s credentials which gives them full control," said CEO Ameesh Divatia of Baffle. If at-rest encryption is implemented, as was the case here, hackers also obtain the keys used to encrypt the data so they can now access the entire data store. Application-based encryption would fix this vulnerability but it is cumbersome to implement and interferes with the ability of the application to process that data at speed.”
The sophistication of the Marriott breach begs the need to go beyond at-rest encryption that is offered by database vendors. Regulators need to expand the mandate to encrypt data in the entire database environment from at rest only to in memory and in use, Divatia noted.
It is unknown if this breach will fall under the domain of GDPR, said Marshall. "Based on the size of the breach it seems likely that some EU natural person data was also compromised. Marriott is likely working with their EU DPA representative to facilitate transparency and involvement by the supervisory authorities there. Another potential issue around GDPR is that the record set was so large. It’s unknown if Marriott had a lawful basis to collect or maintain the various data elements that were disclosed to have been breached."