Marriott—the 500M Record Scandal Marring the Hospitality Industry
I have been a customer of Marriott for over 25 years. With some exceptions, the Marriott chain has been able to hold onto my loyalty with their service better than banks, credit card issuers, airlines and other service oriented brands. Getting the news of Marriott’s 500M guest record breach (over the last 4 years!) was personally disturbing for me. This breach not only ranks as the second worst breach in computing history, but also exposed some of the most sensitive information of customers—making it even more certain that your data is already available. After 25+ years of being a Marriott customer juxtaposed against my 20+ years of work in data security, I somehow feel responsible that I could have done more to help this company avoid this disaster. While it is much too late to prevent Marriott the monetary costs as well as loss of trust and a marred reputation, what can others in the hospitality industry do to avoid a similar fate?We don’t yet know for certain how the Marriott breach happened (root cause analysis is not yet available), but we can speculate on common factors. The use of passwords, for one. Invented in the mid-20th century, passwords have become obsolete as a form of protection. In fact, a searchable database of 1.4B cleartext passwords, collected from past breaches, is freely available on the dark web. Although stronger authentication technology (based on digital certificates) has been in use for nearly a quarter of a century, the difficulties and expense of implementing these systems prevented them from displacing passwords despite billions spent on deployments around the world.
In recent years, a cost-effective, consumer-friendly and secure technology from the FIDO Alliance makes authenticating without passwords a viable option. Standardized three years ago, FIDO authentication now has dozens of suppliers available worldwide, and is strong enough to have been given the “highest assurance level” for authentication by the NIST Digital Identity Guidelines of 2017. The only barrier to implementation is the willingness to integrate the technology into existing applications.While strong authentication with FIDO technology is one of the most effective defenses to prevent unauthorized access, encrypting data within the application that uses it is the most effective defense to prevent unauthorized users from viewing it. Given that this breach was initiated over four years ago and left unchecked, the authentication portion almost seems small in comparison to what proper data encryption protocols may have prevented. Marriott's press release indicates that their guest data was encrypted, but couldn't confirm that the components that make up its encryption key were not also stolen. If the attackers were able to get to the encryption key components, it’s possible that Marriott did not heed the first rule of secure key management: that cryptographic keys themselves need to be encrypted and protected on purpose-built cryptographic hardware. In conjunction with strong authentication and smart key management policies and procedures, a breach like Marriott’s becomes irrelevant: even with a breached network and pilfered guest data, attackers would have been unable to steal the cryptographic keys to decrypt that data—rendering it useless.
Even when strong authentication and encryption are in use, it is possible for companies to be affected by a more insidious attack: modifying data within a system so that legitimate users are led to make incorrect actions. This might appear to be a trivial business problem in comparison to the theft of sensitive information, but it could lead to financial and/or reputation damages. The change of guest information in reservations, for example, could lead to authorized guests finding themselves without a reservation in their name. While attacks of this category are not common, it is conceivable that cyberattackers might find lucrative ways to leverage them.
To prevent this, there is yet another security protocol that is highly underutilized to protect data integrity: digital signatures. As with all technological risk-mitigation measures, adding data integrity controls requires a little effort during the design and construction of the system, but forward-thinking companies in the industry that choose to protect their systems with appropriate encryption and authentication controls would be well advised to do so.
Although the Marriott breach is the first of this scale and magnitude, breaches in the hospitality industry have happened before. Over the coming weeks we are likely to learn more about how the breach occurred, but there is no reason for other businesses to wait to begin the task of better protecting hospitality systems and the guests that represent the life-blood of the industry. Whatever the cost may be to improve data defenses, it will pale in comparison to the consequences of consumer distrust—I know I have yet to resolve my quandary of whether I should stay at a Marriott property again.
*blog image courtesy of Basil D Soufi, under Creative Commons 3.0 license.