MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

By Byron V. Acohido

I have a Yahoo email account, I’ve shopped at Home Depot and Target, my father was in the military and had a security clearance, which included a dossier on his family, archived at the U.S. Office of Personnel Management, I’ve had insurance coverage from Premera Blue Cross and I’ve stayed at the Marriott Marquis in San Francisco.

Related: Uber hack shows DevOps risk

The common demonitor: All of those organizations have now disclosed massive data breaches over a span of the past five years.

On Friday, Starwood Properties, which merged with Marriott in 2016, disclosed as many as 500 million people who made reservations at their hotels may have had their personal information accessed in a breach that lasted as long as four years.

The Starwood hack appears to come in second in scale only to the 2013 Yahoo breach, which affected as many as 3 billion accounts, while a subsequent Yahoo breach also hit 500 million accounts.

The breach is rightly attracting attention of regulators in Europe and the United States. Marriott shares fell nearly 6 percent to $114.67 in Friday afternoon trading. Here’s a roundup of reaction from cybersecurity thought leaders:

Gary Roboff, Senior Advisor, the Santa Fe Group:

Roboff

How could a breach like this continue for four years? If encryption keys were compromised and payment data was in fact exposed, this could indicate that stolen credentials were released at an exceptionally slow release rate versus a mass data dump exfiltration event in order to make it harder for fraud and security teams to identify the kinds of patterns that would normally indicate a point of compromise.

While we don’t fully understand what happened at Starwood and Marriott, basic security hygiene requires extraordinary attention to detail and diligence.  In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. If diligence isn’t constant and systematic, the potential for compromise, with all that implies, increases significantly.

Bimal Gandhi, Chief Executive Officer, Uniken

Gandhi

Events like this Marriott Starwood breach underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication, given the sheer proliferation of stolen and leaked PII now available on the Dark Web.

Every piece of customer information that a company holds represents a potential point of attack, and each time a partner or agent accesses it, that becomes a potential attack point as well.  Hotels, hospitality companies, banks and eCommerce entities are all moving to newer ways to enable customers authenticate themselves across channels, without requiring any PII.

Customer-facing commerce and financial institutions seeking to thwart credential stuffing are increasingly seeking to migrate beyond PII authentication to more advanced methods that do not require the user to know, manufacture or receive and manually enter a verification factor, in order to eliminate the ability for bad actors to guess, phish, credential-stuff, socially engineer, mimic or capture their way into the network.

Satya Gupta, CTO and Co-founder, Virsec:

Gupta

What’s most disturbing about this attack is the enormous dwell time inside Starwood’s systems. The attackers apparently had unauthorized access since 2014 – a massive window of opportunity to explore internal servers, escalate privileges, moves laterally to other systems, and plot a careful exfiltration strategy before being discovered.

All organizations should assume that the next threat is already inside their networks and won’t be caught by conventional perimeter security. We need much more careful scrutiny of what critical applications are actually doing to spot signs of internal corruption. We must reduce dwell time from years to seconds.

Michael Magrath, Director, Global Regulations & Standards, OneSpan: 

Magrath

The vast stores of personally identifiable data on the Dark Web continues to grow at historic rates, and fraudsters have rich resources with which to steal identities or create new, synthetic identities using a combination of real and made-up information, or entirely fictitious information.

For example, the personal data obtained in one breach could be crossed referenced with data obtained from another breach and other widely publicized private sector breaches, and the Marriott breach only makes their task that much easier and more likely to succeed.  Having the databases in the same place makes things even easier for the bad guys.

Franklyn Jones, CMO, Cequence:

Jones

Unfortunately, we can also expect to see a long tail effect from this breach.  As this data finds its way to the dark web, these stolen credentials will be acquired by other bad actors. They, in turn, will orchestrate high volume bot attacks to see if the stolen credentials can also provide access to web, mobile, and API application services of other organizations.

John Gunn, CMO, OneSpan:

Gunn

The significance of the Marriott breach is not in the number of records that were compromised, that is relatively small. It’s impact on the victims is much greater than the numbers reveal. It is remarkably easy to request a replacement credit card from your financial institution and you are not responsible for fraudulent activities – try that with your passport.

This may be an emerging trend with hacking organizations, to target large pools of passport data. Stolen passports sell for a magnitude more that stolen credit cards on the dark web.

 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone