Marriott has reported that a massive data breach of its guest reservation system has led to the exposure of over 500 million customer accounts. The data, maintained by the Starwood division of Marriott, includes names, mailing addresses, email addresses, passport numbers, dates of births, reservation details and, in some cases, payment card information.
And although the payment card data was likely encrypted, the key decryption components were also exposed.
What is of real interest when talking about this breach (probably the second largest ever) is that evidence shows that the hackers had been active in the Marriott system since 2014. Four years, and undetected during that period.
Four years of unauthorized and undetected access is an eternity for hackers. And really inexcusable from a security perspective. But it does serve to show that unprotected systems can lead to stealth attacks where hackers are less interested in “smash and grab” intrusions and more focused on a long term presence in systems – where they can harvest information over a long period of time.
The Marriott breach was apparently a direct attack on back-end databases, but front end access mechanisms are also a frequent target for infiltration attempts. This is especially true for applications where there is limited visibility into activity at the request / response level.
Who is accessing what information? Where are they accessing it from? Do they need to be accessing it at all? What controls do you have in place to protect sensitive data? These are all questions that a company needs to be prepared to answer. And not just in the event of a breach.
New regulations, like GDPR and the recent California Consumer Protection Act, now require organizations to be able to report on data access. Let’s say I discover that my bank account has been hacked. I have no clue how the culprits obtained my data. But it had to start somewhere, and under the new regulations I have the right to go to any company that stores my personal data, such as bank account information, name, address, SSN, etc, and demand to know who has accessed that information.
If an investigator or auditor showed up at your company’s doorstep demanding to see that level of access detail, would you be able to provide it? And could you provide it for the last four years?