Big Company, Big Breaches, Big Settlement

If you’ve ever stayed at hotel, you’ve probably stayed with Marriott.  Marriott International is the world’s largest hotel company.  Nearly 8900 properties in 141 countries and territories. Wow! That’s a lot.

They have another distinction:  Marriott and now subsidiary company Starwood Hotels & Resorts Worldwide, LLC suffered three major cyber security breaches in the last decade affecting over 344 million guest and loyalty records.  What was it? Everything from passport numbers and personal info to payment card info and hotel stay history.

Now Marriott International has approved a $52 million settlement with 50 states and D.C.  The group action of 50 state attorneys general over three breaches that have plagued Marriott is just one of the penalties against the hotel giant.  It paves the way for more actions in other countries and is only the latest and largest to date for the company.

The Federal Trade Commission worked in parallel with the 50 states investigation and has imposed other terms.  The FTC requires Marriott International and subsidiary Starwood Hotels & Resorts Worldwide LLC to put in place “a robust information security program.” Marriott will improve data security practices “using a dynamic risk-based approach” with customer data protections, and pay $52 million to States.

Allegations by Attorneys General

Marriott violated state consumer protection laws, personal information protection laws, and breach notification laws by failing to implement reasonable data security and fix data security holes.  Particularly with integrating Starwood into Marriott systems.

What Happened in Marriott Data Breaches

Strike 3
Marriott Guest Records

Hackers accessed 5.2 million guest records worldwide, including data from 1.8 million Americans. Names, mailing addresses, email addresses, phone numbers, birth day and month, and loyalty account information were breached.  Network access went undetected from September 2018 until February 2020.

How Breach Happened

Attackers used compromised employee credentials to breach its network several times

Settlement Requirements for Marriott

The following are requirements of the settlement with the States & DC

• • Pay $52 million to the U.S. states & D.C.

  • Allow U.S. customers to request deletion of personal info tied to their email address or loyalty rewards account number. And they must review loyalty rewards accounts upon customer request and restore stolen loyalty points.
  • Implementation of a comprehensive Information Security Program. This includes new overarching security program mandates, such as incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the Chief Executive Officer, and enhanced employee training on data handling and security.
  • Data minimization and disposal requirements, which will lead to less consumer data being collected and retained.
  • Specific security requirements with respect to consumer data, including component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
  • Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
  • In the future, if Marriott acquires another entity, it must timely further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
  • An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.
  • Offer multi-factor authentication to consumers for their loyalty rewards accounts, such as Marriott Bonvoy
  • Review rewards accounts if there is suspicious activity.

Additional FTC REquirements:

Marriott must investigate suspicious activity within 24 hours and provide assessments and reports for future data breaches within 120 days.

LOCK DOWN SYSTEMS

Zero Trust, Deny by Default

This is an Aditi Group favored strategy and special leading-edge functionality that we offer our clients.  Unlike anti-malware or anti-virus programs which look for what is already running, downloaded or installed, we lock down and set computers to deny by default.  So, malware often can’t download, and can’t install or run. 

We limit software programs that can install, run, or even be uninstalled to what we allow.  And within those programs, only expected actions are allowed.   What computer and data resources programs can use are by allow-list only. In essence, it’s the IT managers dream – lock everything down to just what is needed to do the job.  We also employ ways to limit escalation of rights from user accounts so they can’t go from being an every day user to having Administrator rights.

With this approach, malware, keyloggers, memory scrapers, and remote access programs would never have been allowed to install.

KNOW THE RISKS

Regular Risk Assessments

Marriott strayed from its forward looking nature and focus on people and excellence.   While Marriott wasn’t responsible for the actions or inactions of Starwood prior to take-over, it is now ultimately responsible and should have done a deep dive into the IT Security Step 1:  RISK ASSESSMENT.

Aditi Group, like our peers who support data privacy laws such as HIPAA and consumer protection laws know that good security begins with identifying the risks.  And that should be followed by making plans to patch holes and reduce risks.   The most comment and first item noted from all HIPAA violation settlements is Lack of Proper Risk Assessment.

This is also an age old precept of warfare.  We must know our strengths and weaknesses and anticipate how the other side may try to exploit weak defenses and human behavior.

Risk Assessments and taking action to fix gaps helps avoid breaches and penalties if problems do happen.

DO THE BASICS

Encryption, Multi-factor Authentication

A second take-away is to ensure that the basic tools and techniques are used.  Stolen data includes unencrypted passport numbers and personal contact data.  Encryption is a basic data security method that should be activated for data that can be used in personal credit fraud.  Numerous state and federal and international data privacy laws require encryption of sensitive data or de-identification of it.  This is nothing new.  It should be the norm.

MFA prevents most account compromising.  Encrypted data is useless to hackers. 

KEEP ONGOING AWARENESS

Monitor Data Going Out, Monitor Account Logins, Malware Scans

Each of the data breaches with Starwood and Marriott went more than a year before they were detected.  The latest happened over four years.  That’s a lifetime in the electronic data world.   This fact is a driver of the ever increasing focus of anti-virus and cyber security programs to do what is called pattern recognition or behavioral analysis.  They look for the anomolys.   Just like when your credit card company puts a lock on your card if you suddenly use it at 3am to buy $100 in gasoline 3 times in 30 minutes…”that didn’t look like you.”

Monitors should have revealed issues within short time

Marriott History

Marriott International is the world’s largest hotel chain.   With over 30 brands, you’re familiar with them.  This dizzyingly large list covers the range of resort, boutique, luxury, business traveler, extended stay and budget economy stays.  You’ve probably stayed in many of their nearly 8900 properties in 141 countries and territories.

From Root Beer to Global Empire

J.W. and Alice Marriott founded this massive global leader from humble beginnings in 1927, serving A & W Root Beer in D.C. stand that grew to Hot Shoppe diners.  This grew into food service for the airline industry.  Momentum grew into cafeteria management services. 

Thirty years after serving their first root beer, the company drifted into hotels with Twin Bridges Motor lodge. Led by Bill Marriott, Jr., this foray into hoteling grew and grew over the next 50 years into an international hotel giant.   In 2016, Marriott International acquired Starwood Hotels & Resorts Worldwide creating the world’s largest hotel company.

The long trajectory of expansion was guided and maintained by corporate values of realizing opportunities and changing with the times.  This latest cybersecurity breach settlement for Marriott is a story of missing the mark with company values. 

Marriott didn’t do everything they should have to protect customers like you and me after the 2016 take-over of Starwood.

Starwood and Marriott Fell Short of Core Values

Lessons for Everyone

While Marriott and Starwood can’t turn the clock back and prevent the breaches of personal data that have already happened, they can now make security a “Job One” kind of priority.  And we hope that other companies learn from Marriott’s experiences and the judgements of attorneys general and the FTC.   Apply the lessons for your organiztion and keep private data private and secure.

Need Help?

Aditi Group, Inc provides Zero Trust security tools including deny-by-default, data encryption, multi-factor authentication, password management, account and network monitoring, and risk assessments.   Call or message us to learn more today.

<<   IT Managers’ Dream

The fantasy for many a CISO or IT manager is to fully lock down every computer.  No one gets admin rights but them.  No one else can make changes, install risky software, use weak passwords, move data with insecure ways, or otherwise erode the secure defenses our IT leaders put in place.

>>  IT Reality

Keeping offices in forward motion and appeasing staff traditionally means trade-offs.  We vote for quick and easy over secure and thorough and secure.  The real picture is too often weak or compromised security to allow programs and people to get the job done.  Thieves pray on the security trade-offs and compromises we make for convenience.  Something to exploit!

Enjoy the Security & Productivity Rewards

We can have our cake AND eat it too.  We can now effectively and securely enable powerful software tools while reducing cybersecurity risks.  This is the not the end-all, be-all for security, but it significantly reduces risk of hacking of valuable financial data.  And that can be the difference between having a thriving accounting, bookkeeping, or tax preparation business and lawsuits and penalties for allowing hackers to get to client data.

Weakness Scoring System

Our Federal government division witin the Department of Commerce, under the National Institute of Standards and Technology, NIST, has a National Vulnerability Databaase designed to help the public, and especially the technical administrators of IT systems to guage potential weaknesses or vulnerabilities in software and hardware systems.  

NIST has been working with private industry and other public sector organizations to rate and maintain a catalog of IT threats.   Originally started in 1999 under another name, and as an effort between NIST, SANS institute, and othrs, under the name ICAT or Internet Category Attack Toolkit.  It evolved and even faced death by lack of budgets until rebranded as NVD in 2005 and supported more fully.  

Listen in as we kick off Cybersecurity Month with another great interview by Dorothy Cociu on the Benefits Executive Roundtable.  In this show we discuss hot security topics and security breaches in 2022 and 2021.  Find out what’s been happening and what you can avoid being a statistic!

Listen and follow the podcast series Benefits Executive Roundtable:

https://advancedbenefitconsulting.com/s4e6-data-security-risks-and-importance-of-cybersecurity-part-1/?

Read the article in the STATEment May / June 2022 issue

In this episode cyber security experts from Aditi Group tell us about why things are not Golden at Coors this week. And you’ll learn about the hack that is sweeping the planet with Microsoft Exchange. This first Friday Happy Hour edition podcast uncovers network security issues at Molsen-Golden that have had big impact on the taps and the company bottom line. We’ll talk data backups, ransomware, cyber hacks and more as we also cover the Microsoft global vulnerability that has already affected tens of thousands of servers. Join us to hear about these stories and how they relate to you and your precious electronic data.

Press the ARROW on the player below to listen now

Where Are You Most Vulnerable?

Hackers understand that employees are often the weakest link in an organization’s security. That’s why 98% of cyber attacks rely on some type of social engineering, costing companies $billions every year.

Are you familiar with these new Cyber criminal techniques that can leverage ANY connected employee to breach your security?

As an increasing number of employees are forced to work remotely during the COVID-19 crisis, IT networks have become even more vulnerable to cyber-attack, especially when users connect over unsecure Wi-Fi and/or Home Networks with their personal devices.

In addition to raising awareness about new security threats for your employees, we’ve included 8 tips to help teleworkers (and any connected employees) improve security. You’ll also see recommendations on how ongoing Cyber Security Awareness Training is crucial to a strong defense.

While users are regularly encouraged to keep their anti-virus definitions and software up-to-date, 6% percent of users NEVER receive any type of security awareness training, while another 33% receive only once per year or when they join the company.

Key Security Lingo

Every employee should also become familiar with the latest phishing and ransomware strategies to prevent becoming that weak link.

Phishing (or Spear Fishing)

Vishing

Pretexting

Business E-Mail Compromise (BEC)

Baiting

From an IT Security perspective, the term “social engineering” refers to cybercriminals using any number of psychological tricks to get users to perform actions (click on an email or link) or divulge personal or confidential information.
While technical hackers seek vulnerabilities in the networks or software, social engineering cybercriminals exploit an end user’s tendency to trust.

Other types of social engineering may include creating distrust, or starting conflicts by altering private or corporate communications. There are literally thousands of variations to social engineering attacks, limited only by the criminal’s imagination.

Phishing (or Spear Fishing)

Phishing is the most common type of social engineering attack. Hackers pose as a trusted source (a friend, boss, colleague, bank official, government agency, etc.) and concoct a seemingly logical scenario for handing over login credentials or other sensitive personal data.

The cybercriminal may obtain your email address from a compromised email account or web directory and then go “Phishing,” sending general emails to everyone, or go “spear fishing,” personalizing an email for just you.

The email will contain:

• A link that you just have to click on, taking you to a website that asks for your personal information and/or automatically downloads malware
• An attachment of pictures, music, movie, document, etc., that has malicious software embedded. 

Vishing

Another type of phishing, using voice instead of text. The cybercriminal recreates an IVR (Interactive Voice Response) system of a trusted company, attaches it to a toll-free number and tricks you into responding to the cell phone prompts with your personal information.

Pretexting

Pretexting is a social engineering technique of presenting oneself as someone else in a fictional situation in order to obtain private information.

This may be another phishing exploit, or use baiting techniques, but it’s all about developing a believable story, which may include:

Urgent request for help. Your ’friend’ is stuck in another country and needs money to get home or to pay a fine. Or the CEO sends an email titled “URGENT!!!!!,” with a message containing spelling mistakes.

Ask you to donate to a fundraiser, or some other cause. Disaster relief, political campaign, or charity needs money and/or your personal information to keep you informed.

Notify you that you’re a ‘winner.’ This phishing attack claims to be from a lottery, or a dead relative, or the millionth person to click on their site, etc. In order to receive your “prize” you will need to provide your bank routing number along with other details to steal your identity.

Pose as tech support or other professional. Also considered a “Quid Pro Quo” attack, the cyber-criminal is responding to an issue, and requests information, and/or a download of a scanner (malicious software) to scan your system. The criminal may be quite helpful and provide productivity tips while stealing your identity.

Serious Business Pre Text

One form of pretexting, called Business E-Mail Compromise (BEC) uses a variety of tactics to con the company into wiring funds. The cybercriminal group likely gains access through spear-phishing and/or malware, and then spends weeks or months discovering the organization’s billing process, vendor payments, and the CEO’s email style and travel schedule.
Then when the CEO is out of office, the scammers send a targeted email posing as the CEO to the finance officer (bookkeeper, accountant, controller, or CFO ) requesting an immediate wire transfer. The vendor will sound familiar though the account numbers will be slightly different.

If undetected, the initial and subsequent requests will cost the company thousands if not hundreds of thousands of dollars.

Baiting

This type of social engineering scheme dangles malicious devices inside a seemingly harmless carrier, hoping someone will “take the bait.”

These schemes are often found on Peer-to-Peer sites offering a recent movie, or music to download, but they’re also found on social networking sites, job posting sites, online auctions and e-commerce sites.