Breach Case Study On Marriott/Starwood Hotel System - - PowerPoint PPT Presentation

Breach Case Study On Marriott/Starwood Hotel System 2014 – 2018+

Stephen P. Cutler,PhD spcutler@omnipay.asia

We will look at it from a perspective of Confidentiality Integrity Accesibility And Accountability, Compliance, Ethics

Let’s keep in our minds about:

• What personal data do you hold?
• Where is it held?
• Who has access to it, and what kind of access?
• When did you collect it?
• Why did you collect this detail?
• What level is the data classified at?
• Is consent well documented?

Marriott is a great company. Global Warm Great reputation.

Marriott owns the Starwood System Since 2016.

The Starwood System consists of: 11 brands; 1,200 properties; On Six Continents

On 8SEP2018, an internal security tool Alerted Marriott staff to an attempt To access and exfiltrate the database

Think about that database: Name; Date of birth; Gender; Mailing address; Phone; Email address;

Think about that data base: Passport information; Arrival/departure data; Preferred Guest information; Communication Preferences.

Marriott says that perhaps

500 million

Starwood guest records may have been stolen

The alert was posted on September 8, 2018 Marriott notification and public announcements Are worded to say The breach was “discovered on or before September 10, but may go back to 2014”

Payment Card data was protected by Advanced Encryption Standard AES-128 But...the decryption components may/may Have been taken as well

U.S. Senator Charles Schumer says That Marriott ought to cover the cost of New passports for victims

• $110 x 327 million
• Basically...”You caused this. You fix it now”

U.S. Senator Elizabeth Warren Calls for severe penalties for The CEO and other officers personally Basically, “You broke these people’s trust. You go to jail.” U.S. law does not currently have such penalty.

The company admits “We failed” It has cooperated with law enforcement and regulatory agencies. It has investigated thoroughly, and found that the breach is likely to have begun in 2014, before it bought Starwood

Marriott Established a website and call center for victim support It has emailed everyone in the database It offers free enrollment in”Webwatcher”

Marriott faces a “Class Action” law suit Marriott stock share prices fell

5.6%

to a Forbes report by Thomas Brewster posted on December Marriott had a string of cyber security problems. At least one of those came from a contracted cybersecurity vendor mistake.

One problem discovered was an easily guessed password for the Starwood Service system; Once “inside” that system, one could Access financial records, I.T. Security Controls AND bookings information

Investigation and reviews have disclosed that Russian criminals used a Botnet On hacked Starwood Servers

Based on New York Times and Wall Street Journal reports Other media published items on January 4, 2019 Stating that the hackers may/may have been working for China’s Ministry of State Treasury.

So, again, in light of the DPA:

• Who?
• What?
• When?
• Where?
• Why?

Any questions?

Thank you!

Stephen P. Cutler spcutler@omnipay.asia