Another Friday, Another Breach Announcement

Today, Marriott announced that it uncovered four-plus years of a previously unknown, unexpected, and unauthorized data breach that includes travel details, passport numbers, and credit card data. Five hundred million customers found out this morning when Marriott announced a multiyear breach dating back to 2014. Longstanding defects in Starwood’s database and network security allowed attackers to capture names, addresses, dates of birth, passport numbers, communication preferences, arrival and departure information, and more.  In short, an exceedingly valuable trove of data for the attackers. Marriott has followed the by-now familiar data breach announcement playbook: it apologized, promised customers it cares about security, provided a website and dial-in number, and also offered credit monitoring.

Cybersecurity M&A Due Diligence Rears Its Ugly Head

We can’t know the internal details of the acquisition due diligence process, but a thorough cybersecurity due diligence effort should have flagged the database and network security weaknesses that the attackers – by then resident in Starwood’s network for two years — exploited.  The strategic nature of M&A activity means cybersecurity issues might not stop an acquisition, but they certainly can lower the price and create arbitrage and risk-transference opportunities, as seen with Verizon and Yahoo.  Lesson for CEOs and CISOs going through M&A: Don’t skimp on cybersecurity due diligence.

The Surveillance And Data Economy Problem

When companies collect massive amounts of data in the name of customer experience, they also accept the obligation and responsibility of protecting that data. In this case, Starwood — and Marriott, by acquisition — failed in that responsibility. Consider the following:

  • Travelers’ data is now in the hands of at least one set of attackers, possibly more. Travelers’ habits, destinations, frequently visited areas, preferred arrival times, and more are now out there without their consent. Four-plus years of travel data on 500 million people is a massive data set for a data scientist to use to profile people. Companies involved in sensitive industries that have heightened physical safety risks will have to evaluate how this affects their firms and their employees. They may need to change travel habits or plans for key individuals who might be caught up in this breach.
  • There are national security implications due to passport numbers and other details. This breach has major nation-state-level consequences given the amount and type of data accessed by attackers. Any time passport data is part of a compromise, you must factor in the potential ramifications. Resources at various agencies across the globe will now have to wait to receive details on what information was gathered by attackers and how that information could compromise existing operations or assets. Further, intelligence agencies around the world now have access to a treasure trove of information about travelers from adversary nations that can be used for their operations.
  • It’s fine to buy this data, just not to steal it. Unauthorized data sharing makes companies that sell data unhappy. But the fine print of the apps and promotions systems we sign up for forces most of us to consent to the collection and sharing of this data. While GDPR and other regulations seek to empower consumers with the right to opt out and be forgotten, not everyone benefits from those protections. In this case, attackers obtained customer data without Marriott or Starwood’s consent or knowledge, which raises an important question: What if Marriott intended to commercialize this data? That would mean the loss of a massive revenue opportunity.

Brand Lesson: The Biggest Brand Always Gets Bloodied In A Breach

This breach happened to Starwood, not Marriott.  In fact, if you only stayed at Marriott properties, you are unaffected, but media that talk about this breach mention Marriott far more than Starwood. That’s a lesson to every brand out there. Whether it’s an acquisition, merger, or simply a subsidiary, the biggest brand will always get the most attention when a breach is announced. All of the momentum and energy your brand has gets sidetracked when a breach occurs — even if it didn’t happen to you. Some other key lessons follow:

  • Cybersecurity due diligence — pay early or pay often. For Marriott, the price it paid for Starwood just went way up. Legal issues, regulatory problems due to GDPR (and more), breach investigation and notification services, remediation actions, and public relations costs just skyrocketed. We often mention that breaches have a long tail, and in this case, the price Marriott paid for Starwood is far higher than what it originally promised shareholders due to the discovery of this incident. The lesson for everyone here is twofold: Cybersecurity due diligence in M&A is vital, and not paying for it at the time will make everything far more expensive later.
  • Phishing just got easier for attackers. The amount and type of data obtained by attackers will make other compromises easier, as well. If attackers know where your employees travel, how often, who they travel with, and how long they were there, then those attackers’ phishing, spear phishing, and social engineering attacks just became a whole lot more successful. Your employees may not open an email from people they don’t know, but what about an email from the hotel manager thanking them for staying at one of your corporate hotels a few times in the past year with a coupon attached?  This breach will make protecting your employees harder.
  • GDPR is now the first thing companies think about after a breach. Within minutes of this breach being announced, everyone began to consider how the GDPR would apply.  Since it is well past the 72-hour notification window for GDPR and many other breach notification laws (it discovered the breach on September 8), the company has opened itself up to more fines than necessary. But notification is only one of its problems. The company will need to address questions about how it manages and governs personal data, including retention policies and more.

What It Means: The Basics Of Defense Are Already Well Known And Easy To Implement

As the case has been for nearly every other mega-breach in recent history, the methods that the attackers used to exploit this system weren’t magic or exceedingly advanced. Basic database security protocols, good authentication, minimization of lateral movement, and an understanding of how to apply technology strategically would have made a big difference.  For example, if Marriott had built a digital clone of a network for testing and security optimization during the M&A due diligence phase, they’d configuration would have been noted and the exploitation could have been interrupted.