Lessons learned: The Marriott breach

Overview of the breach

Marriott International has been in the news throughout 2019 due to a major data breach discovered and investigated in late 2018. The data breach, which leaked 383 million records, makes Marriott the company with the second-largest data breach in history (behind Yahoo’s three billion account breach).

Beyond the size of the breach, it is also significant for the types of data that were leaked. Based on the most recent reports by Marriott, the following information was exposed:

  • Guest payment card information: 9.1 million encrypted payment card numbers and expiration dates
    • 385,000 of the cards were valid at time of breach
    • Potentially “several thousand” unencrypted card numbers were breached
  • Guest records: Records of 383 million accounts with Starwood (owned by Marriott) that include:
    • Full names
    • Mailing addresses
    • Phone numbers
    • Email addresses
    • Gender
    • Rewards information
    • Arrival/departure
  • Passport numbers: 18.5 million encrypted and 5.25 million unencrypted passport numbers of guests

A large quantity of the breached data was encrypted, and the investigation performed by third parties employed by Marriott uncovered no evidence that the attackers gained access to the decryption key for this data. However, the amount of unencrypted data (including passport data) makes this a significant breach despite the fact that most of the payment card and passport information was properly protected.

Timeline of the breach

Beyond the scope of the breach itself, this incident is also distinguished by how it was managed by Marriott. The investigation stretched over three months, with new data about the impacts being discovered throughout the process. In this section, we’ll explore some of the major milestones within the breach process.

  • July 2014: Hackers penetrate Starwood systems
  • September 23, 2016: Marriott officially completes acquisition of Starwood
  • September 7, 2018: Accenture, a contractor managing the Starwood database for Marriott, becomes aware (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: