4 Reasons Why Marriott’s Handling Of The Starwood Data Breach Is A 2/10… So Far.

Judges block LI.png

Marriott recently announced that hackers had successfully infiltrated and copied their customer data profiles.  And snap! Just like that the 500 million customers who had made a booking at a Starwood property on or before September 10, 2018, found their data compromised and in the hands of the nefarious.  While it may be easy to become de-sensitized to breaches these days, the Marriott breach is a cautionary tale – both for its customers, and those who wish to avoid similar mistakes.  

Firstly, it’s important to realize that this breach isn’t just massive on scale – it’s incredibly dangerous based on the nature of the data stolen. We’re not talking just usernames and passwords – this breach also involved passport numbers, birthdates, home addresses, and in some cases credit card numbers and expiry dates. In the wrong hands, this is profoundly compromising information and can lead to card cloning, passport cloning, identity theft, phishing and other types of attacks.  

Secondly, this breach - and Marriott’s poor handling of it - is a cautionary tale to those companies wishing to preserve customer trust, despite the modern-day realities of data theft.  Here are 4 reasons we give Marriott a 2/10 for incident response:

  1. Clearly their security team could do with some help - these particular hackers seem to have been poking around this system undetected since 2014.  Put it another way, the earth has gone around the sun 4 times, you can earn a bachelor’s degree faster, and one of my friends got married – and divorced - in less time than it took Marriott to detect the hacker in their systems. It’s that long.

  2. We don’t understand why Marriott took two days from being aware of the problem to disconnecting the hacker’s access to the database. Data was still being stolen from bookings made on September 9th and September 10th, 2018. From what we currently know, those customers appear to have been avoidable casualties.

  3. Marriott took almost 3 months to notify consumers of this breach (Marriott notified consumers and law enforcement on November 30, 2018). This definitely fails to meet the standard consumers – and regulators – increasingly expect. And maybe I’m being overly suspicious here, but this notification came out on Thanksgiving Friday - not technically a public holiday – but everyone in the US treats it as one. Are Marriott exploiting the US’s biggest ‘Taking out the Trash Day’? It all smells very, very bad.

  4. Finally, although Marriott have set up websites and notifications to manage this incident, it’s difficult to determine which ones are legitimate and which ones are fake. For example, Marriott set up info.starwoodhotels.com to answer questions, but that automatically diverts you to:  https://answers.kroll.com/ . Now unless you are in the industry you probably don’t know that Marriott have appointed Kroll as the incident response and investigations team for this breach. There’s no mention of it on the landing page. It’s kind of an obvious miss.  To add insult to injury, the email account Marriott is sending notices from - @email-marriott.com – doesn’t really look like a legitimate Marriott email address. With the proliferation of phishing attacks, consumers are justifiably wary. Many scammers leverage the news of a breach to send fake breach notifications to you from official looking email addresses. These "phishers" try to dupe you into providing your private information under the pretense of being a portal where you can find out if you were part of the breach.

Why isn’t the score lower? Well – Marriott don’t seem to be trying to profit off the breach (yes – it happens), we have no evidence yet that this is anything other than a lack of security capability or resources, and Marriott do now – admittedly belatedly – appear to be taking the right steps. Of course, it can always get worse (better too!) as new facts emerge over the forthcoming weeks and months. I join the 500 million other people who are watching.

Claudia Iannazzo
CEO - Catalisto

Catalisto is a next generation security distributor and solutions provider. We help organizations and their trusted providers access unconventional solutions to their biggest security problems. Find out more at www.catalisto.com 

Signup here to be added to our newsletter.

Claudia Iannazzo