To suffer one data breach may be regarded as a misfortune; to suffer two looks like carelessness. However, as the industry picks over the second major data breach to befall hotel chain Marriott International in under two years, there are some encouraging signs that despite how it may appear to an observer, the firm has learned some important cyber security lessons. All organisations could stand to learn from its experience.
To establish the facts; between January and February 2020, the login credentials of two employees at a franchise hotel property were used to access the personal information – including contact details and personal data, loyalty account information, and guest preferences – of 5.2 million Marriott guests.
On discovering the breach, Marriott immediately disabled the compromised credentials and began an internal investigation. It has informed law enforcement and has already implemented heightened monitoring and taken steps to support the affected customers.
Coming so soon after hundreds of millions of customer details were stolen in 2018, earning Marriott a huge fine from the UK’s Information Commissioner’s Office (ICO), there are many that would like to rush to condemn the company. But this is not always appropriate in the wake of a cyber security incident of this nature.
Cybereason chief security officer Sam Curry said: “Today, it is less about bayoneting the wounded and a lot more about how Marriott makes sure this never happens again? Brands are suffering regularly, and time will tell what happened with Marriott,” he said.
Stuart Reed, Nominet vice-president of cyber, said: “News that Marriott has been hit again by a security breach raises the question of what should be done after a company suffers an incident. Highlighting potential vulnerabilities but also showcasing the importance of investment, the steps taken after a breach are often crucial to alleviating reputational damage and securing the data of customers in the future.
“In our research, we have found that two thirds of those hit by a breach in the past 12 months weren’t very confident that their organisation could defend against the same type of attack again,” he said. “The recent Marriott security incident potentially indicates that this lack of confidence is warranted.”
However, it’s important to note that based on currently available information, the second attack was substantially less severe than its predecessor, and Samantha Humphries, security strategist at Exabeam, said that the steps the company took in its disclosure were overall responsible and appropriate.
“If there is something positive to say about this breach notification, it’s that Marriott’s security team seems to have minimised the attacker’s dwell time to a little over a month,” she said. “While still significant, 5.2 million compromised guests is a drastic reduction from almost half a billion the last time this organisation identified an attack.
“What’s clear in this case is the credentials-based attack – whether it came via compromised credentials from unwitting employees or malicious insiders in the network – is far from rare. A 2019 Forrester survey revealed almost half of data breaches were caused by some form of insider threat. It’s a case of when this will happen for most security teams, so the focus needs to be on minimising dwell time for attackers – from months to minutes,” she said.
Varonis field CTO Brian Vecci said he also saw a silver lining: “It may seem strange, but Marriott should be commended. They were able to report on what information was taken and which customers were affected. A breach is never good news, but it’s a positive sign that they were able to keep tabs on their data and report on it – transparency is the name of the game.”
Ed Macnair, CEO of Censornet, said Marriott’s latest embarrassment will serve as a lesson for everyone else in how a simple attack technique can have wide-ranging and long-lasting impacts.
“Account takeover is basically modern day identity theft – criminals hijack an employee’s legitimate email account and use it for malicious means,” he said. “For Marriott, two employee’s accounts were used to steal vast amounts of guest data.
“While financial data wasn’t stolen the personal information the criminals did get is incredibly valuable and can be used for malicious means – for example, to use personal information to conduct convincing phishing attacks against guests,” said Macnair.
Constant vigilance, even during unique times
Bob Rudis, chief data scientist at Rapid7, said that the incident highlighted the importance of remaining vigilant for new cyber attacks even – or particularly – if you have just experienced one. Successful attacks can happen to any organisation, and the use of stolen legitimate credentials remains highly popular, he said.
Moreover, vigilance should be redoubled during the ongoing Covid-19 coronavirus pandemic.
“Current disruptions in traditional work patterns also increase the likelihood of more frequent and clever attacks occurring every day. Even though your staff may be more dispersed than usual, this is no time to hold back on regular awareness training,” said Rudis. “It is also paramount that you continue to watch for anomalous behaviour of systems and accounts to reduce the time attackers have to accomplish their goals if they do manage to breach your defences.”
Darktrace’s director of strategic threat, Marcus Fowler, agreed that even though the hospitality industry is enduring great hardship during this time of enforced venue closures and self-isolation, no business could afford to take its eye off the ball, even if all its employees have been furloughed.
“This breach should serve as a wake-up call to all in the hospitality sector – and other industries being negatively impacted by the pandemic – that they are still targets. Attackers won’t wait to attack until business has stabilised, or until security and IT teams have completed the transition to remote work,” he said. “Instead adversaries will look to use this uncertainty and upheaval to their advantage – striking while businesses are struggling to adapt.”
“These organisations also still have information that is valuable to cyber actors. In this instance it was the contact information of 5.2 million customers, which attackers can use to launch targeted email campaigns.
“Unfortunately, the risks of business email compromise are exacerbated when employees are working remotely and are hungry to receive information from colleagues or updates from their company,” said Fowler.
Proper planning prevents pickles
For Tim Mackey, principal security strategist at the Synopsys CyRC (Cyber security Research Centre), Marriott’s misfortune highlights the importance of pre-preparing a detailed threat model on business operations, and implementing the right monitoring controls to ensure that problems can be spotted in good time.
“In this case, the attack vector was via compromised employee credentials. Those credentials provided access to guest services within individual properties under the Marriott brand. Since employees often have access to sensitive customer data, creating appropriate alerts to detect credential misuse is particularly difficult,” said Mackey.
“Examples of behaviours to look out for include: time of day (i.e., is the employee clocked in), scope of access (i.e., is the accessed data outside of their normal role), and volume of data (i.e., is the access consistent with how an employee would access data to address customer requirements).
“Implementing such controls requires organisations to look not only at the application security and how its deployed, but the intended usage patterns incorporating human factors data,” he said.
Carl Wearn, head of e-crime at Mimecast, highlighted how important it is for CISOs and security teams to know their organisational IT environment inside and out.
“This will enable them to identify any vulnerabilities quickly and easily and issue a patch update where required. It is also advisable that organisation carry out pen testing so that they are able to identify any flags quickly,” he said.
“But the IT team can only succeed if every employee does their part in improving the business’ security. That includes being aware of basic data security principles such as the GDPR rules, which are immediately linked to customer data. Providing the right security education and training will also ensure that every employee better understands the implications of poor security and implements the right best practices for themselves and their colleagues.”
Debbie Gordon, CEO of Cloud Range Cyber, said: “Sometimes it takes an attack like the Marriott breach for companies to realise they don’t have the proper experience, training or preparation to prevent or minimise damage. Every minute matters and speed is the difference between a minimal breach or one that will devastate a company forever.
“Frankly, companies need to practice using both technical and communication simulations along with security operations, incident response, and executive stakeholders to ensure their team’s preparedness,” she said.
“Ultimately, the only way to prepare for an event – the only protective measure that stands between a threat and an actual breach – is to supply cyber security teams simulation exercises designed to help them think critically in order to detect, respond to, and remediate cyber attacks.
“These exercises measure their detection and response time preparedness which will reduce dwell time and minimises risk to any organisation. Hackers’ skills are constantly evolving; but companies can overcome the cyber skills gap by implementing advanced simulation training before threats fully develop and breaches occur,” she said.
In terms of technological approaches, Censornet’s Macnair said that based on what we know about Marriott’s latest breach, two-factor or multi-factor authentication (MFA) was probably the best option.
“While account takeover attacks can be devastating, there is a straightforward way to protect against them. The most effective method is to use two-factor or multi-factor authentication,” said Macnair. “MFA means that accounts are protected with more than just a password, for example stopping logins from strange locations or without a unique one-time-passcode.”
“For organisations looking at this attack and wondering how to stop the same thing happening to them, MFA is a must-have for admin or privileged account holders who can access sensitive data or escalate privileges.”