background image


Case Study: Marriott Data Breach


On November 30, 2018, hospitality giant Marriott International announced that an “unauthorized party” gained access to the personal information of 500 million Starwood customers, joining the ever-growing list of massive breaches that seem to be occurring more and more frequently.

Marriott announced that, sometime in early September 2018, they received an alert from an internal security tool indicating that an attempt had been made by an unknown entity to access the Starwood guest reservation database. Shortly thereafter, Marriott engaged outside cyber security experts to aid in determining what exactly happened. It was discovered that there had been unauthorized access to the Starwood network as early as 2014. It was then discovered that this party had copied and encrypted customer information and acted towards removing it from the Starwood database.

Marriott advised that the data exposed included passwords, email addresses, departure and arrival dates and well as passport information.

Background on Marriott Breach

While Marriott says they are looking into how the breach took place, the question on everyone’s minds is why it was only detected now when it’s evident that it began over four years prior. With the extensive resources Marriott has available to them, they should have been able to identify and isolate the intrusion risk in 2014. Unfortunately, it was also around this point that Marriott had announced is acquisition of the Starwood Hotels and Resorts Worldwide, and that’s where the issue may have begun.

Not two months after the announcement of the merger, Starwood reported that it had suffered a large-scale credit card hack. Shortly thereafter, the company’s home website was the victim of a SQL injection attack and offers to hack the site were being made across the dark web. It is for this reason that experts are saying Marriott should have known, at that time, that they were taking a considerable risk in acquiring Starwood.

Risk Model Estimates

Catastrophe risk modelling firm, AIR Worldwide, estimates that the direct cyber incident losses for the breach will be in the neighborhood of $200 million to $600 million. These estimates are based on both the quantity of consumers affected, as well as the type of information involved.

AIR Worldwide mentions that the large ($200m-$600m) range of loss estimates reflects the relative uncertainty about the data that was stolen, such as duplicate records and additional uncertainty relating to whether or not encryption keys had been stolen along with encrypted credit card data.

It should be noted that loss estimates are based solely on an analysis using AIR’s “Cyber Risk Model.” As a result, they are subject to uncertainty and not based on any actual policy or loss data reported by Marriott. It’s worth noting that some of the financial impact to Marriott may be partially mitigated by cyber insurance and liability insurance coverage they supposedly have; this is not accounted for in the loss estimates.

Government Regulation

As part of the EU’s GDPR, and Canada’s PIPEDA, the hospitality industry is under pressure to comply as the range and nature of personal data held in any guest database poses a particularly high risk if found in the wrong hands.

“This is much more than a consumer data breach. When you think of this from an intelligence gathering standpoint, it is illuminating the patterns of life of global political and business leaders, including who they traveled with, when and where. That is incredibly efficient reconnaissance gathering and elevates this breach to a national security problem.”

Michael Daly – Cybersecurity Chief Technology Officer, Raytheon Intelligence

Beyond regulatory examination, Marriott is now facing multiple class action lawsuits as a result of the breach.

Application Security Testing

SQL Injection vulnerabilities are not a new type of vulnerability and have been center stage for many data breaches. These vulnerabilities can be discovered through an application security assessment performed by an experienced team of ethical hackers. Application Security Testing evaluates various threats and helps detect vulnerabilities in your applications before a data breach. Given the significant cost of a data breach, proactive testing is essential to reduce risk.

At Packetlabs, our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often, firms will try to commoditize security testing by heavily depending on automated testing and trivial VA scans with little benefit to the client. Our methodology only begins with automated testing. After that, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.

We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.

Contact us to learn more about how we can help.