The Marriott data breach, initially discovered in 2018 but likely originating in 2014, remains a landmark event in the realm of cybersecurity. As of April 2024, new revelations have reemerged, prompting further scrutiny over Marriott’s handling of the breach and the security measures employed at the time. This blog delves into the latest developments, the causes of the breach, the lessons learned, and the steps organizations can take to bolster their cybersecurity defenses.

Incident

In April 2024, Marriott found itself entangled in a complex legal situation during a US District Court hearing. For over five years, Marriott had downplayed the 2018 data breach, claiming that the compromised data was secured with unbreakable AES-128 encryption. However, on April 10th, Marriott’s lawyers disclosed that the data had actually been protected using SHA-1, a hashing method not considered encryption by contemporary standards.

Marriott’s recent statement clarified: “Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018, were protected using Advanced Encryption Standard 128 encryption (AES-128). Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).”

Scale of the Breach

The Marriott data breach of 2018 was a significant cybersecurity incident, affecting up to 500 million guest records. Although this number includes duplicate entries, it still represents a substantial portion of Marriott’s customer base.

Data Exposed

The personal information compromised in the breach included:

• Credit card details
• Passport numbers
• Birthdates
• Other sensitive personal information of up to 500 million guests

Cause of the Breach

The breach originated from a vulnerability in Starwood’s guest reservation system. Attackers gained access in 2014, two years before Marriott acquired Starwood in 2016. Despite the acquisition, Marriott did not discover the breach until 2018, allowing the attackers uninterrupted access to sensitive information for several years.

Lessons Learned

The Marriott data breach offers several critical lessons for businesses:

• Accurate Incident Reporting: Ensuring that public statements and legal disclosures accurately reflect the security measures in place is crucial for maintaining trust and compliance. Misleading claims, even if unintentional, can exacerbate legal and reputational damage.
• Due Diligence in Mergers and Acquisitions: Companies must conduct thorough cybersecurity due diligence when acquiring other businesses. Understanding the security posture and vulnerabilities of acquired systems can prevent inherited risks.
• Regular Security Audits: Continuous and rigorous security audits of all systems, especially those involving sensitive customer data, are essential. Identifying and addressing vulnerabilities proactively can mitigate potential breaches.
• Advanced Encryption Practices: Utilizing up-to-date and robust encryption methods, rather than outdated hashing algorithms like SHA-1, is critical for protecting sensitive data. Regularly updating encryption standards ensures that data remains secure against evolving threats.
• Incident Response Preparedness: Developing and maintaining an effective incident response plan enables organizations to swiftly and effectively address breaches. This includes clear communication protocols to inform affected parties and regulatory bodies.

Remediation Steps

• Comprehensive Security Overhaul: Undertake a complete overhaul of the cybersecurity framework, upgrading security protocols across all systems. Implement the latest encryption standards to ensure the protection of sensitive information.
• Enhanced Encryption Practices: Replace outdated hashing algorithms with advanced encryption methods such as AES-256. Secure all sensitive data, including payment card numbers and passport numbers, using state-of-the-art cryptographic techniques.
• Strengthened Incident Response Plan: Update and regularly test the incident response plan to ensure rapid and effective reactions to cybersecurity incidents. Establish clear protocols for communication with affected parties, regulatory bodies, and the public.