Marriott has announced what appears to be one of the larger data breaches in history, a compromise that affects as many as 500 million people and stretches back to an intrusion in the company’s network in 2014.
The breach is staggering in regard to both the number of people potentially affected and the length of time the attackers were on the network. Marriott officials said the intrusion occurred on the Starwood network some time in 2014 and the company only became aware of the compromise in September. Marriott and Starwood merged in 2016, and Marriott officials said the attackers were able to access a database on the Starwood guest reservations system.
The company learned of the intrusion after an internal security system threw an alert about an unauthorized access attempt to the Starwood guest reservation system on Sept. 8. For 327 million people, information compromised in the breach includes names, home addresses, phone numbers, email addresses, some passport numbers, dates of birth, and some payment card information. For the other affected customers, the attackers only had access to names and some address and email address data.
“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database,” the Marriott statement says.
The company said that the payment card data stolen was encrypted, but Marriott officials aren’t sure whether the attackers were able to steal the private keys needed to decrypt the data.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” Marriott said.
It’s highly unusual, if not unprecedented, for a company to signal publicly that encryption keys were taken as part of a data breach. Typically, companies will say that stolen data was either encrypted or in plaintext, but the mention of the possible theft of the encryption keys themselves is rare.
Sophisticated adversaries can dig into networks and stay hidden for some time, as the Marriott attackers appear to have done, and study the environment as they look for valuable information to grab.
"It all boils down to how intelligent the adversary is. If the adversary knew what he or she was targeting and had information about the behavior and environment and behavior patterns, it significantly reduce the chances of getting caught," said Itzik Kotler, CTO of SafeBreach, said.
In today's atmosphere, everyone understands that they're a target. There's no downside for the attackers in owning your laptop or your network. There's always a reason for the bad guys to hack you. It's always valuable, one way or the other.
Starwood has been affected by data breaches in the past, including one in 2015 that involved attackers planting malware on some point-of-sale terminals in some of the company’s hotel properties. That incident only involved a subset of properties in North America and the attackers were able to get payment card data from hotel front desks, gift shops, and restaurants.