Why Marriott Breach Includes Some Valuable IT Lessons

NEWS ANALYSIS: It seems that Marriott was doing pretty much everything right when it discovered an ongoing breach, but it may still pay massive penalties.


While there’s still a lot we don’t know about the breach of a reservations database belonging to Marriott International, what we do know is encouraging.

First, Marriott didn’t actually suffer a breach. Rather, Marriott’s role in the whole breach event--as confirmed to eWEEK by a Marriott spokesperson--was in discovering the breach and in taking corrective action. In fact, the breach was acquired by Marriott when the company acquired the Starwood hotels, where the breach was already ongoing.

The background of this story is an important lesson for companies involved in acquisitions. In this case, Marriott was in the process of working with Starwood’s reservations system in preparation for merging the two systems into a single reservations system for all of Marriott’s properties. When Marriott bought Starwood three years ago, their first priority was to merge their loyalty systems, so that people who had belonged to the Starwood Preferred Guest rewards system would now have their accounts moved to Marriott. People with accounts in both systems would have them merged and their accumulated points combined.

The merging of the two rewards programs was finished, and members of those programs have been able to combine their accounts this past summer. But so far, you still had to reserve rooms at former Starwood properties using the old reservations system. It was while working with the old Starwood reservation system that Marriott’s IT staff discovered the activities of the hackers who had been in the reservation system for four years. That’s when Marriott sounded the alarm.

Breach started way back in 2014

According to a statement released by Marriott, the Starwood breach has been ongoing since 2014. In 2015, Starwood announced a breach of its payment systems, which also began in 2014. At this point it’s not known whether the breach that Starwood announced was related to the one that Marriott discovered, but if it is, it would be similar to breaches that hit other hotel systems where the attacks included payment systems as well as other databases.

Marriott apparently found the breach because it had installed a new security monitoring tool on the Starwood network, which detected the breach in progress. While Marriott didn’t say which tool found the breach, the company did say that it enabled it to discover the encrypted data that the bad guys had planned to exfiltrate. Marriott prevented that and has decrypted most of the misappropriated data.

Marriott hasn’t said how much data was actually exfiltrated, but the data it found included names, email addresses, mailing addresses, phone numbers and passport numbers. Credit card information was also accessed, but according to Marriott, this information was encrypted using 128-bit AES encryption that required two keys to read. There’s no indication that the attackers were in possession of the encryption keys, but Marriott has said that it can’t rule that out. Marriott also said that its own reservation system and its own networks were not affected by the Starwood breach.

As bad as all of this sounds, especially for the 500 million Starwood customers who may have had their personally identifiable information stolen, it could have been much worse. Marriott has set up a website for its customers, it’s included free monitoring with Kroll’s WebWatch that will monitor illegal uses of customer information, a call center to assist customers, the required California data breach notice, and the company says it will offer reimbursement for costs related to corrective action related to the breach.

Despite it all, Marriott looks like it did everything right

In fact, while Starwood clearly had some security issues, including the failure to detect exfiltration of data, of allowing the breach to go undetected for years, and not noticing the cache of encrypted data created by the hackers, Marriott appears to have done everything right.

There are important lessons here, especially when a company is acquired.

  • First, Marriott’s IT folks kept the Starwood network and its database separate. While the Marriott and Starwood websites could link to each other, there was no other connection, which prevented any malware in one from traveling to the other.
  • Second, Marriott imposed improved security practices on the Starwood network, which ultimately led to the breach being discovered.
  • Third, Marriott appears to have followed the rules in regards to beach notification and has begun working with law enforcement to catch the hackers. While we don’t know what the company has done to meet the GDPR notification requirements, the company did say that they had notified authorities.
  • Fourth, Marriott is providing support for Starwood’s customers affected by the breach with monitoring, a call center and a detailed website.

Some may criticize Marriott for not notifying affected customers that their data may have been taken until now, but it appears that much of the time between discovering the breach in September and now was spent in cracking the encryption of the hackers’ cache to find out exactly what was taken.

While no data breach of the scale that Marriott discovered can be considered good news, the fact is that Marriott appears to have shown how to handle such an event the right way. It found the breach, stopped further damage, determined the breadth of the event, and it helped the victims.

You could do a lot worse than to follow Marriott’s example--except maybe to check the company you’ve acquired for bugs a little sooner.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...