Marriott Reports the Loss of 500 Million Customer Records in Massive Data Breach
Good news Dell! You are no longer the cybersecurity nightmare of the week.Bad news 500 million people! You are now the victims of a truly magnificent data breach.
First, just the facts.
On 30 November, 2018, Marriott International issued a press release informing the world that they had discovered a data breach affecting up to 500 million customers. The release contained the following salient details:
On 8 September, 2018, an internal security tool began issuing alerts of unauthorized data access.
The company “engaged leading security experts to help determine what occurred” and began the investigation process.
Marriott discovered that the breach had existed, in some form or another, since 2014.
Marriott found a massive trove of data which had been encrypted by the attackers and was being or had been (the release is somewhat unclear on this point) exfiltrated.
Upon decryption, they found that as many as 500 million customer records had been compromised. Those records included:
“Preferred Guest” records
Credit Card information (Encrypted under AES-128)
It’s all over but the crying, but there’s a lot of crying.
Sweet mother of <REDACTED>. 500 million records is incredible. It’s such a huge number, we can’t really think of it in a way which makes sense. We hear the number 500 million, but we can’t seriously comprehend what it means. To help properly understand a number that big, we need to establish a useful frame of reference.
The best-selling album of 2017 was Divide, by Ed Sheeran. Ed Sheeran’s third studio effort blew the industry out of the water, taking home the Grammy for Best Pop Album, crushing half a dozen records, it went platinum 4 times in the US and dozens of times around the world, it bought the recording executives so many yachts they could have an aquatic demolition derby, and it played everywhere. Coincidentally, I was actually listening to that album when I first found out about this story, so maybe my frame of reference idea wasn’t entirely as creative as I’d like to pretend.
The best-selling movie of 2017 was Transformers: The Last Knight, which, sigh. It outperformed Jumanji, Thor: Ragnarok, Spiderman: Homecoming, Wonder Woman, Baby Driver, and wow, it’s just occuring to me that 2017 was a pretty solid year for nerdy movies. Anyway, the point is that Transformers: How Does This Keep Happening did gangbusters at the box office.
The best-selling album of all time is Thriller by Michael Jackson. If I need to tell you about that album, it’s because you live under a rock, and frankly the rock thinks you’re a bit out of touch. Thriller defined more than a generation of pop music. The eponymous song is still a cornerstone of the musical world, and literally hundreds of thousands of homage videos can be found on the internet. If Divide is a cultural touchstone, Thriller is Ayer’s Rock.
The best-selling movie of all time (we’re almost to the point, I promise) was Avatar. I very nearly stopped writing this article when I found that in my research, but I’m soldiering on. Normally, I’d take a few sentences to break down the cultural impact of the film, talk about the ubiquity of reference and homage, and make a strangely applicable comparison. To be totally honest, I saw Avatar once when it came out, and I was on a first date at the time, so I’d be hard-pressed to tell you the protagonist’s name. I’d look it up, but my editing team keeps staring pointedly at my word count, so let’s call him Timmy and move on. The point is, everyone and their cousin bought a ticket for Avatar.
Divide: 10 million albums sold worldwide
Thriller: 66 million albums sold
Transformers: Seriously, another one?: 14.5 million tickets sold (estimated)
Avatar, the Last Blue Pocahontas: 95 million tickets sold (estimated)
So even if there were no overlap whatsoever in those numbers, we’d be looking at a maximum of 185 million people. Some of the highest-performing media in human history, and we haven’t even hit the halfway point. If these are unique records, you are twice as likely to be included in this data breach as you are to have purchased tickets or albums for a series of literally world-changing (except you, Avatar, stay in your corner) media.
500 million is such a massive number that when I talked about it with my roommate (a physicist; thanks, east coast rent!), even he had to admit it was a pretty big total. For those of you who don’t know any physicists, that’s like your friend with a beanie and an ironic mustache admitting you make good coffee.
So what does this actually mean?
For most people, it means what every data breach means. You need to watch your credit, your bank accounts, and any other records you might consider important. These hackers didn’t just take enough information to steal your identity, they took enough information for a complete Face/Off maneuver. Marriott is offering free monitoring services, because of course they are, and most banks and credit unions have learned to be pretty skeptical of sudden country-hopping purchases, as I discovered when I had my card frozen three times trying to book hotels and flights for Black Hat Europe. The real danger is going to be in the creation of new lines of credit, new accounts, that sort of thing. With so much data, hackers will have a real chance of breaking into other online accounts, and the market for stolen identities is going to be booming for a while.
Obviously, as always, make sure you’re using unique passwords for all of your online accounts. Since no one ever seems to do that, I recommend picking up a password manager and letting it handle the randomization for you. Personally, I use Rippling’s vault and the built-in google password manager, but there are tons and tons of options in the world.
On the enterprise and world-wide level, it means a couple of things. 500 million unique IDs (they won’t be unique, but it’s useful to pretend they are for our math) translate to a lot of money on the black market. An article by qz.com claims that each ID brings in around $20 of illegal revenue, though I imagine there’s likely to be a firesale on this one. With yet another high-profile breach, particularly following so closely on the issuance of GDPR, we’re likely to see regulators and government officials get more enthusiastic about regulation and monitoring, other major companies hardening their security posture, and about a million “this is what they did wrong” posts from every security nerd with an internet connection.
This is what they did wrong
As a security nerd with an internet connection, I’m going to go ahead and weigh in on their mistakes for just a second. First and most obvious, FOUR YEARS. Four whole years. That’s a college degree. That’s a standard enlistment contract in the military. That’s 146 terms of Anthony Scaramucci as White House Communications Director. Hackers being in your network for four interrupted years isn’t just unacceptable, it’s confusing. I couldn’t stay in the Navy’s computer system for four years without assistance, and I was supposed to be there.
Second and still pretty obvious, encryption. As far as anyone can tell, all of these customer records were stored in plaintext in Starwood(Marriott)’s system. In fact, the funniest part of the release is when they mention they had to break through encryption to find out what had been stolen. The hackers had encrypted the data they were stealing. At least someone is practicing some OPSEC here, I guess.
The company did go out of its way to mention that the credit card data had been encrypted with AES-128, which is actually pretty good. That’s the encryption standard I generally want to see when we’re talking about financial data, and I was heartened to read it. Unfortunately for my psyche and the general tone of this article, I continued reading:
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
Just…. Come on Marriott, give me something to work with here. I like your hotels, even if I think “resort fee” is just code for “you already flew all the way out here and we know you’ll pay it, so sucks to be you… fee”. The water is almost always hot, the sheets are reasonably clean, and I actually proposed to my wife in a Marriott while a Sinatra vinyl played in the background (full disclosure, I’m the ironic mustache friend). I want to like you.
The last bit I’m going to mention in terms of what they did wrong is probably the most minor in the grand scheme, but it’s also one of the most common mistakes companies make in this position. They discovered the breach, and at least knew what data the hackers had access to, in September. Sure, they didn’t have all the facts and didn’t want to make a statement without being able to make it clearly and concisely, but they knew what had potentially been stolen, and they should have done something to show good faith. When Dell found out their system had been popped, they reset everyone’s passwords immediately, then went about getting their PR ducks in a row for the release. It wasn’t a perfect solution, but it was an obvious good-faith effort and it largely kept them from being raked over the coals. Marriott, unfortunately, are going to end up a bit crispier before it’s all said and done.
A Parting Shot
I am aware that this article could charitably be called “combative” and more accurately be called “extremely aggressive with a side of tangent”, and I probably would have been willing to go a bit easier on Marriott if it hadn’t been for one line in their release:
“Marriott deeply regrets this incident happened.”
They don’t regret their failure, the breach of trust it represents, or the fact that it took 4 years before someone finally saw the blinking red light. They regret that the incident happened. I talked about it above, and I want to repeat it here. Show Good Faith. Every company has security flaws. If they didn’t, I wouldn’t have a job. Pretty much every major company is going to have a data breach of some magnitude, though hopefully there won’t be too many more on this scale (spoiler alert: there will be). The difference will always be made in the response. If you immediately alert your customers and lock down everything you possibly can, then perform the kind of thorough analysis necessary to give everyone the full scope, you can usually scrape by with a bit of negative coverage and a whole bunch of new security investment. When you take this long to respond, and the response is written in this no-fault, passive voice cop-out, you get…
Well, you get an article like this one.
All contents of this article reflect the opinion of the author, not the official stance of Cybrary. They were very insistent I say so.
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!