Learning from the Marriott International Data Breach

(originally published in Grit Daily)

The Marriott data breach highlighted several critical deficiencies in their cybersecurity mindset, plan & resources. Marriott International has admitted to an ongoing breach in its network since 2014 with nearly 500 million records stolen. These included social security numbers, passport numbers, email addresses, physical addresses, credit card numbers and other identifiable information.

The breach occurred in 2014, yet it was undetected for four years. It is being reported that the attackers not only stole encrypted data, but also the keys and necessary knowledge to decrypt the data. If you give any attacker that much time on your network without being detected, they will uncover your deepest, darkest secrets. There are plenty of cyber security vendors and solutions on the market well-suited to this purpose. The current ‘average’ time to detect a data breach is almost three months. Two years ago, it was twice as long. That’s progress, right? Maybe.
Security intelligence and analytics are not just buzz words. They are necessary weapons to detect and alert on anomalies in real-time. When these solutions are tuned to alert on real incidents, rather than binary events or thresholds that create noise, they arm security responders with real and actionable data much earlier in the kill chain.  This allows them to respond within minutes, in most cases, not years.
Storing unnecessary data and storing data for too long is another major issue Marriott International faced. They can’t steal what you don’t have. I’m sure we all have junk stored away in our houses and garages for that moment where “one day when I might need it”. This is the digital version of hoarding. Storing data, especially personal identifiable information regarding customers, way beyond the time where it is needed, is a recipe for disaster in the digital world. This is what thieves are after. The goldmine. Marriott delivered.  But they’re not the only ones.

Stop, Stop, Stop using Social Security Numbers. They are unique identifiers. Somehow over time, social security numbers issued by the United States government became the de facto way to uniquely identify an individual. Medical records, bank accounts, airline and hotel programs, credit card accounts, bank loans, home and car purchases are all using a single set of nine-digit numbers linked to a single person. The damage that can be caused by that number falling into the wrong hands is sometimes irreparable. The damage can be immense and a nightmare for individuals. There are viable alternatives to this – biometric, voice recognition and others. Granted these still have their own vulnerabilities, but if enough effort is put forth to secure another method for identify, it will make obsolete the whole SSN identifier and all the vulnerabilities that come along with it.

Adding insult to injury – Marriott sent a notification out to its millions of members alerting them of the data breach. They sent the email from a newly registered domain “email-marriott.com” which was registered to a third party authorized to handle notifications on behalf of Marriott. Not only did this email raise suspicion regarding its authenticity, but it was pointing to a site without any information, it did not have any HTTPS certificates to identify the owner and left Marriott exposed to additional spoofing by thieves, of new domains.  What this shows is a lack of investment in cybersecurity by Marriott International. They didn’t have the experts to determine their risks or how to recover from an incident.

There is a lot we can learn from the Marriott breach, yet just like with Equifax, Target, Home Depot and every other mega breach in recent history, this will all be forgotten in due time. Marriott will make a good statistic in security presentations, discussing the volume and size of the breach, but I don’t expect much change beyond this without a serious shift in mindset.