Your name, address, phone number, email address, passport number, date of birth, and sex are worth just £0.05 in the eyes of the UK Information Commissioner’s Office, which has fined Marriott £18.4m after 339 million people’s data was stolen from the hotel chain.
The fine was imposed as a regulatory punishment for the 2018 Starwood Hotels megabreach despite Marriott not accepting liability for wrongdoing.
Although the attack was originally thought to have exposed half a billion records in the chain’s guest reservation database, later investigations revised that figure downwards.
Within the exposed data were 5.25 million guests’ passport numbers, stored without encryption, as well as 18.5 million encrypted passport numbers and 9.1 million encrypted credit card numbers.
“When a business fails to look after customers’ data, the impact is not just a possible fine, what matters most is the public whose data they had a duty to protect,” said Information Commissioner Elizabeth Denham in a canned statement.
A Marriott spokeswoman told The Register: “Marriott deeply regrets the incident,” adding that the US hotel chain “remains committed to the privacy and security of its guests’ information and continues to make significant investments in security measures for its systems.”
Watertight like a colander
According to the ICO’s detailed monetary penalty notice [PDF], the hack was years in the making and was only detected when the attackers started sniffing around payment card data, having gone unnoticed for four years inside Starwood Hotels’ systems.
Starwood was bought by Marriott in 2016, though the acquired chain’s systems remained separate from Marriott’s own IT estate until the former were shut down post-buyout.
Unidentified malicious people managed to sneak a web shell onto a machine inside Starwood Hotels’ networks in July 2014. That shell was then used to plant various remote-access trojans (RATs) onto Starwood’s system and password-slurping open-source tool Mimikatz, which the attackers used to compromise more network accounts.
Those accounts included ones without multi-factor authentication – and accounts with admin creds for key databases. Still the attackers’ actions went unnoticed.
Between April 2015 and May 2016, the attackers quietly created database dumps “with a view to exfiltrating all the data contained” at once, as the ICO summarised it. They finally tripped an alarm in September 2018, four years after first entry, after running a count on a table named “Guest_Master_profile” containing card data, which flagged up on the IBM Guardium product that was deployed to highlight up any suspicious database operations.
Accenture, which was monitoring Guardium, told Marriott what it had seen. The resulting probe revealed that Accenture staffers’ own credentials had been compromised in July 2018 and were being used by the attackers.
By October 2018, Marriott had also realised that a separate group of attackers had managed to deploy in-memory malware across payment terminals at eight hotels the ICO declined to identify beyond saying they were not located in the European Economic Area, therefore falling outside its regulatory remit.
Poor infosec practices partly triggered GDPR liability
Despite being forced to admit that Starwood (and PCI-DSS auditors) had given misleading assurances about the extent of MFA deployment across accounts with access to the card data environment, Marriott was able to escape sanction for that. However, its corporate failure to spot the personal data dumping after the attackers got in counted against it.
“In this case, appropriate monitoring would have included the appropriate logging of user activity, especially in relation to privileged users,” said the ICO. “Marriott’s failure to log user activity in this way was inconsistent with its obligations under the GDPR.”
The regulator continued: “It would have been appropriate for Marriott to have implemented a defence in-depth strategy.” The ICO went on to demolish Marriott’s protestations that whitelisting known good accounts wouldn’t itself have been enough to stop the attackers.
Intriguingly, a redacted section of the report refers to a “script” developed by Starwood and seemingly used by the attackers. That script “allowed for AES-128 encrypted entries in a database table to be decrypted.”
Pages 28-40 of the ICO monetary penalty notice [PDF] warrant close reading by conscientious techies and managers alike wanting to know how IT security practices played a direct role in deciding how badly Marriott had broken the EU’s GDPR. Though Britain leaves the EU-controlled GDPR regime in January, it is mirrored in the Data Protection Act 2018 and will remain in effective force.
The ICO said it would have imposed a £28m penalty but for Marriott having established a data breach website and call centre to serve a data breach hotline. It also emailed customers to notify them, and cooperated with ICO investigators. That won it a 20 per cent discount to £22.4m, with the COVID-19 pandemic scoring it a further £4m discount.
Francis Gaffney, director of threat intelligence at email security biz Mimecast, opined: “Too often, regulation is viewed as a burden, but organisations should start to view it through the lens of their customers, partners, or employees. If a customer trusts you with their data, you owe it to them to protect it and ensure it is safe. Many organisations are having to pay financial penalties for such data breaches and it is only afterwards that the cost of a breach now outweighs the potential savings from not investing in security and data management solutions.” ®