A Thing
The Green SheetGreen Sheet

Friday, January 4, 2019

Investigators, analysts criticize Marriott's handling of data breach

Forensic analysts disclosed Jan. 4, 2019, that while the number of hotel records compromised in the Marriott Starwood security breach was close to 383 million, not the 500 million initially reported, 5 million unencrypted passport records may also have been exposed during the breach. Security analysts have been sharply critical of the hotel's handling of the incident, which is believed to have been the largest known data compromise of 2018.

Marriott reported the incident in November 2018, but analysts believe the hotel had prior knowledge that guest data had been compromised. Starwood reported a smaller breach in 2015 that began when attackers installed malware on POS systems in certain hotel gift shops and restaurants. Marriott claimed that incident wasn't associated with the larger breach reported in November 2018. However, according to security experts, the hotel did not detect attackers already in its network in 2015 that were able to lurk in its reservation system for three additional years, and had the hotel been more diligent in its investigation, the hackers would have been uncovered sooner.

"With all the resources they have, they should have been able to isolate hackers back in 2015," Andrei Barysevich, a researcher with the security company Recorded Future Inc., told the Wall Street Journal in December 2018.

Bimal Gandhi, CEO at Uniken, stated the hotel chain's antiquated security architecture enabled cybercriminals to exploit its network. "Continued reliance on outdated security methods, such as using personally identifiable information (PII) in authentication is folly, given the vast amount of stolen and leaked PII now available on the Dark Web," he said.

Gandhi went on to note that every piece of customer information represents a potential point of attack, whether it is stored by a company or accessed by a partner or agent. This is why hotels, hospitality companies, banks and ecommerce entities are moving to newer authentication methods across all channels, without requiring any PII, he noted.

Rethink security

Ruston Miles chief strategy officer and co-founder at Bluefin, pointed out that many companies rethink security procedures and strategies following a major security episode. In addition to implementing better data security, companies could ideally implement data devaluation technologies such as tokenization in databases and point-to-point encryption in the card devices to mitigate the risk of compromise in the event of a breach, he stated.

"In any breach, there is a loss of trust with the consumer and a negative effect on the brand," Miles said. "Also, after a breach, companies spend a great deal of time securing themselves instead of focusing on innovation as layers of necessary, but sometimes overeager security overhead are added throughout the entire organization. This can add friction to people, operational and technology processes."

Gandhi recommended using advanced technology to protect against an array of attacks, such as guessing, phishing, credential-stuffing, social engineering and mimicking, seeking to gain unauthorized access to a network. Advanced security methods do not require the user to know, manufacture or receive and manually enter a verification factor, he added. "Cryptographic key-based authentication combined with device, environmental and behavioral technologies is an invisible multifactor authentication solution that provides just such a solution," Gandhi said. "By their very nature, they are easy to use, they're issued and leveraged invisibly to the user, they remove human error, and they defy credential stuffing and other common attacks." end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Facebook
Twitter
LinkedIn
2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing