Marriott Could Have Prevented Privacy Data Breach with Tokenization

Author : Huz Dalal

On November 30, 2018, Marriot International announced one of the largest data breaches in history. The amount of data was massive given that the breach lasted across a period of over four years. And it wasn’t just any data : payment information, names, mailing addresses, phone numbers, email addresses and passport numbers.

Recent testimony by Marriott’s CEO, Arne Sorenson, (full testimony available here) has disclosed new details about the data breach announced last year.  I’ve been following this closely to learn from this historic breach and understand if, and how, it could have been avoided. Let’s take a look at what happened now that we have more details.

Here’s what Sorenson told the Senate Committee on Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations last week. The hack originated at Starwood’s reservation system. Marriott acquired that hotel group in September 2016, but the intrusion went undetected until September 8, 2018, when it was contacted by the IT company managing its Starwood guest reservation database.

On September 10, Marriott called in third-party investigators to investigate whether it had been breached. Soon afterwards, malware on the Starwood IT systems was found: A Remote Access Trojan (RAT), which allows hackers to covertly access, surveil and gain control over a computer.

According to Sorenson’s latest statement, 383 million guest records and 18.5 million encrypted passport numbers were breached. Details included 9.1 million encrypted payment card numbers and 385,000 valid card numbers in addition to 5.25 million unencrypted passport numbers.

The details of the Marriott breach were bad enough on the surface – but it could have been avoided.

During his testimony (min. 6:30), CEO Arne discussed Marriott’s strategy moving forward. As their highest priority, Marriott will now rely on encryption and tokenization tools to secure all data they currently keep in the space.

I’d like to point out two critical aspects on the breach and Arne’s hearing.

  1. The hack originated at Starwood’s reservation system, which is a transactional system. Unfortunately, many corporations de-identify sensitive data in their analytical systems but not in their transactional systems.
  2. Marriott’s CEO, Arne, highlights his first priority as using tokenization along with encryption to swap out all sensitive data across the enterprise.
    1. Why Tokenization? The purpose of tokenization is to swap out sensitive data—typically payment card or personally identifiable information (PII)—with a randomized number in the same format, but with no intrinsic value of its own. The data is replaced with an undecipherable token.
    2. Why isn’t Encryption enough? Encrypted numbers can be decrypted with the appropriate key—whether through brute computing force, or through a hacked/stolen key.

There are various deidentification methods available today and best practices on when it is best to apply these techniques. Some of these methods include:

  • differential privacy
  • pseudonymization
  • risk-based anonymization
  • tokenization
  • data masking

Moving forward Marriott has announced that they will be using one of these techniques.

Some of the biggest breaches we have seen are Google, Uber, Sak’s Fifth Ave, Facebook. Even government agencies haven’t been immune from this. In conclusion, no industry or organization is immune to data breaches that expose sensitive information.  Many of the Fortune 200 companies are global in nature, and sensitive customer data is always moving across the enterprise. Organizations, much like Marriott, are looking for a better way to maximize both the security and usability of sensitive data.

Global enterprises should be using vendors and tools with a holistic approach to design a data-first security approach which does all of the following:

  • envelopes all transactional and analytical systems within the enterprise
  • provides flexibility and scalability – allowing data to move in and out – across data silos
  • integrates easily whether you have on premise, a hybrid- and multi-cloud architecture
  • gives full visibility across your enterprise with a centralized, automated administrator
  • recommends and implements data deidentification techniques that enhance your performance and ensure better data security for the future

Stay tuned for my next blog which will be focused on demystifying data protection methods. In the meantime, I’d love to hear your feedback and thoughts about this and other data breaches. What challenges are you encountering to protect your sensitive data? How are your concerns about exposing your sensitive data hindering your expansion in the cloud? I’m looking forward to connecting, learning about your data security and sharing models and best practices about data first security.

I look forward to hearing from you. In the meantime, for more on this topic, please read our Why Encryption is Not Enough blog or visit our Vaultless Tokenization page.

*** This is a Security Bloggers Network syndicated blog from Blog – Protegrity authored by Huz Dalal. Read the original post at: