Reference no: EM133038003
CASE STUDY: THE MARRIOTT DATA BREACH
In November 2018, Marriott, the world's largest hotel company, announced that one of its reservation systems had been hacked. With over 7,000 properties and more than 1 million hotel rooms worldwide, Marriott manages a very large and detailed database on the movements of millions of people that is a valuable target of hackers. In what is believed to have been the second-largest data breach in history, an estimated 500 million guest records were downloaded by hackers, including credit cards, addresses, phone numbers, and passport information. Marriott has estimated that credit card information on 327 million individual customers was involved, along with 25 million passports, million of which were not encrypted. The system involved was the reservation system for Starwood Hotels, which includes the Westin, Sheraton, St. Regis, and W hotels. After purchasing Starwood in 2016, Marriot continued to operate the Starwood system independently because Marriott's own reservation system was not capable of taking on the additional load of Starwood. This turned out to be a major factor in the data breach. How the breach occurred is still not completely understood by Marriott or the authorities. An initial investigation by Marriot found that the Starwood legacy system was likely breached in 2014 but Starwood systems personnel did not detect the malware installed for a period of four years. When Marriott purchased Starwood, it purchased a reservation that was already compromised. To make matters worse, shortly after the acquisition, Marriott laid off many of the Starwood system's staff in an effort to cut costs via consolidation, which often occurs in mergers and acquisitions. Subsequently, several class action law suits have been filed claiming that Marriott did not conduct sufficient due diligence when purchasing Starwood and that management allowed a compromised reservation system to continue operating. Company and government investigators did find a remote access trojan that could send any data it found to external servers, along with MimiKatz, malware for finding the data. MimiKatz is a tool that can search username and password combinations in large databases. How the trojan and MimiKatz got access to the Starwood servers is unknown, but one likely candidate was phishing emails sent to Starwood employees who had legitimate access to its reservation system. The weakest link in systems is at the end point, through users who have legitimate access to it. If the guest information had been properly encrypted, it might have been useless to hackers. Unfortunately, this was not the case. The credit card information was indeed encrypted, but the hackers also likely stole the encryption keys that were stored on the same hacked server. This is a fatal flaw in many corporate systems: best practices call for installing the encryption keys that unlock encrypted data on separate servers which are isolated from main transaction systems in the firm and, ideally, stored on separate secure networks. Encryption alone is not a "bullet proof" guarantee of cyber security but rather a basic first step that can work if it is properly installed and managed. Unfortunately, passport numbers were stored "in the open" and not encrypted at all. Who actually led the hacking effort, and for what purpose, remains a mystery, although there are a few clues. Hacks of large databases with credit card information usually result in that information being sold quickly to other hackers on the dark web or being used to conduct fraudulent credit card purchases. However, this spurt in illegal activity did not occur in the Marriott hack, and none of the stolen information has appeared on the dark web. U.S. government investigators believe this was not a hack done for commercial reasons; instead, they point to Chinese intelligence agencies as the likely source, because the hackers used cloud servers associated with Chinese state hackers, along with other details of the hack that, to date, remain undisclosed. One theory is that the stolen passport numbers may be the most valuable aspect of the hack. Marriott is one of the main providers to U.S. government armed forces and government personnel. The data on government guests could be useful for tracking the movements of military and intelligence employees and building dossiers on individuals. In congressional testimony in Washington, however, Marriott's CEO denied the Chinese were involved. Marriott announced in 2019 that it had incurred $128 million in expenses due to the breach. It has also been fined $120 million by the U.K.'s Information Commissioner's Office (ICO) for violating U.K. privacy laws, which are derived from the EU's General Data Protection Regulation (GDPR). The ICO claims that Marriott failed to undertake adequate due diligence when it acquired Starwood. Marriott's 2018 revenues were just over $20 billion. Hence, $250 million in fines to Marriott constitute about 1% of its revenues and about 11% of its $2.2 billion in earnings-a substantial loss of earnings but a minor part of its overall revenue. However, loss of reputation and potential loss of customers including government agencies is also a risk for Marriott that could amount to much more than government fines. Marriott responded to the breach by offering guests compensation for costs associated with obtaining a new passport as well as for credit card losses if fraud occurred as a result of the breach. Several class action lawsuits have been filed again Marriott as well as the consulting and service company Accenture, to whom Starwood had outsourced their security. The City of Chicago sued the company in 2019 for failing to protect the personal information of Chicago residents, claiming that Marriott had allowed criminals to copy extensive personal information for over four years and failed to implement reasonable safeguards that could have prevented the data breach. Even worse, so the suit claims, firm managers knew of the security risks for four years.
(Sources: "Why Encryption Is Failing Us" by Tom Kellermann, Techradar.com; "Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?" by Josh Fruhlinger, CSOonline.com)
Based on the above case study, answer the following questions.
a. Analyze security breaches that have occurred in the Marriott database related to intentional threats of e-commerce security.
b. Suggest the best protection strategies that Marriott Hotel should implement to combat data breaches on its reservation systems, considering procedural, technical and physical controls.
c. The security concerns on the online credit card system that involves a wide range of online and mobile payment methods. Propose other online or mobile payment systems that you believe would be appropriate and safe for the Marriott Hotel's needs.