Last week, the news came out that Marriott suffered a massive data breach in their SPG part of the system – over 500 million customers in all were involved. Over 300 million of them were impacted by various aspects of their identity being compromised. On the heels of this, another massive breach has occurred, this time with Quora (100 million accounts affected). Of all the things with the Marriott breach, there were 2 parts that disturbed me the most – as a customer.
Two Disturbing Parts About the Marriott Security Breach
How the Breach Was Identified and What The Hackers Did
The first part that jumped out to me in the Marriott press release on the “security incident” had to do with how they identified the data breach. They were notified as a result of a security tool back in September that someone was attempting to access the Starwood guest database in the US.
However, according to Marriott’s statement, it wasn’t until after that when they had retained security experts that they actually found out about the real breach (it appears the attempted breach on September 8 may not have even had anything to do with the actual security breach). At that point, they found out that the system had been accessed by unauthorized individuals since September of 2014 – a period of 4 years with no one knowing what was happening.
Using Marriott’s word, they “recently” discovered that individuals that had breached the system actually had gone ahead and (not only copied) encrypted the information. It wasn’t until November 19 that Marriott’s team was able to decrypt what has been encrypted by these hackers and then realized the scope of this breach.
I am not a security expert at all, but I could not remember another security breach where those that penetrated the system had encrypted the information they were copying and then left it on the system.
All of this adds up to a major disturbing aspect to me and that is that these hackers were so good that Marriott only identified a breach that had been around for 4 years because it seems someone else may not have been as good at the original hackers (the September 8th incident). Add that to the fact that these hackers encrypted the personal information of over 300 million people to such a degree that it took Marriott a while to decrypt it and I am left wondering what was going on here?
Passports as Part of the Hack
Of the over 300 million customers that had personal information retrieved from the database, some of them had their passport numbers accessed as well. Of all the different hacks, this is a big problem for any traveler. It is bad enough if personal information is accessed and used to wreak havoc for people but people are only using their passports when they are traveling to foreign countries. If people are using this information in a malicious way, it could cause enormous problems for the customer traveling with a passport that had been part of the breach.
I have heard enough about the smuggling operations in southern Europe over the last few years to know how much people are paying for fake passports to get around Europe. Some of the smugglers are even selling real passports to the people trying to get to different European countries.
Imagine the problems that could occur if duplicate passports are made and used by someone that commits a crime or gets arrested for entering a country illegally. Now, imagine that is you and you use your actual passport to travel in a few months. What kind of problems could occur if that passport number was flagged as being stolen or, worse, on the person of someone arrested for a crime and they think you are the one that may have committed the crime.
No matter what, having passport information out there is a huge problem for those customers. US Senator Chuck Schumer of NYS has been quoted as saying that Marriott should pay the $110 passport fee for those that had their passport numbers comprised in this hack. Hopefully, we will hear soon what Marriott does intend to do to make things right for any customer that had such valuable information stolen.
Takeaway
Security breaches are not going to stop. Hackers get better and learn how to breach systems all the time. The disturbing part of this Marriott breach, to me, was how Marriott actually found out about it (and what the hackers were doing with the information on the system) and the fact that passport numbers were a part of this breach.
Things like this certainly are good wake up calls for all of us when it comes to how we control our own information with companies. Sure, some things are all about convenience and speed but maybe we will think a minute before trading some of our information for that convenience in the future.
Oh, and one more thing, IHG – time to get real passcodes instead of using the ridiculous 4 digit pins for account access. I still cannot believe they haven’t done something about this!
Any security experts that want to put my mind at ease about any of this? 🙂
Aggregating data to be ex-filtrated from a target organization is a typical TTP. It was probably encrypted because of two things: 1. To hide the contents of the file from security products specifically designed to look for data that should not leave the company and 2. To prevent other threat actors from being able to use their “loot”. It is not unusually to find multiple threat actors in the networks of companies with a weak security posture.