MARRIOTT INTERNATIONAL UNINTENTIONALLY bought trouble when it acquired Starwood Hotels & Resorts Worldwide in September 2016, according to testimony Marriott CEO Arne Sorenson gave before a Senate committee Thursday. The old Starwood reservation system was compromised and that led to a data breach, one of the largest in history.
Sorenson appeared before the Homeland Security & Government Affairs Permanent Subcommittee on Investigations Thursday along with other industry leaders to discuss the breach that affected about 383 million former Marriott guests. That number is at least lower than the original estimate that 500 million guest records had been compromised.
“To be clear, this does not mean that information concerning 383 million unique guests was involved; in many instances, there appear to be multiple records for the same guest, but because of the nature of the data, further de-duplication cannot easily be performed,” Sorenson said in his testimony. “But we have concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved.”
Sorenson testified alongside Equifax CEO Mark Begor, who testified on the 2017 breach his company experienced. The Marriott CEO began his testimony by recounting his compan
Marriott has said previously the investigation into the breach began in September after one of its internal security tools detected an attempt to access the database in the U.S., and Sorenson reiterated that stance in his testimony. It determined that since 2014 an unauthorized party had been copying and encrypting information from the database. However, the database passed initial reviews before the acquisition, though those reviews were limited in scope, Sorenson said, because before the deal closed Starwood was a direct competitor of Marriott.
“Until our investigation of the incident that was announced on Nov. 30, we were unaware that the Starwood Guest Reservation database had been infiltrated by an attacker,” Sorenson said.
Decided to retire the Starwood reservation system, but it wouldn’t be easy. The company had to migrate Starwood’s 1,270 hotels into its system without an interruption in service, and it had to be done in two years. Marriott did add additional security to the system, Sorenson said, and accelerated the process of retiring it last November. By the close of last year the system was shuttered.
The incident involved approximately 18.5 million encrypted passport numbers and approximately 5.25 million unencrypted passport numbers, of which approximately 663,000 are from the U.S., according to the most updated information Sorenson provided. About 9.1 million encrypted payment card numbers, of which approximately 385,000 were unexpired as of September 2018, were compromised.
“To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility,” Sorenson said.
Along with releasing information on the breach to the media, Marriott began e-mail notifications that were completed in December. It also created a website dedicated to providing information on the breach to guests. Also, 250,750 U.S. guests have used Marriott’s web monitoring service.
“So far, approximately 17,700 requests have been received through this website by guests wanting to know more about whether their information was involved,” he said, but added that so far they have not received any substantiated claims of loss from fraud attributable to the incident. “Moreover, none of the security firms we engaged to monitor the dark web have found evidence that information contained in the affected tables has been or is being offered for sale.”
The company rolled out endpoint protection tools to more than 200,000 devices that allow real-time discovery of suspicious behavior on both the Starwood and Marriott networks and have next-generation anti-virus features.
“We are focused on identity access management, which means a broader deployment of two-factor authentication across our systems, as well as network segmentation, which means isolating the most valuable data so that it becomes more difficult for attackers to access the systems and for malware to spread through the environment,” Sorenson said. “We know that this is a race that has no finish line. Cyber-attacks are a pervasive threat.”