Last week, CEO Arne Sorensen had issued a statement and described new details about the leak at Marriott: On Nov. 30, 2018, investigators had found that 383 million customer records, 18.5 million passwords, 5.25 million passport numbers, 9.1 million encrypted credit card numbers and 385,000 valid credit card numbers had been stolen. The damage that must have been caused by this may be gigantic and there will be some victims among them who cannot be compensated. In the month that followed the announcement, MAR’s stock price lost more than 12% of its value (down to $100.99).
Meanwhile, things are looking up, the price has recovered to currently $124.96 (as of March 18, 2019) and today it was announced that 1,700 new hotels are to be opened by 2021.
While this is certainly a happy development for Marriott, the question remains as to what the damage will run into in numbers and whether the handling of the security issue will continue to tighten in the future or whether this rapid recovery will encourage a dampening mood.
The background:
On Sept. 08, 2018, Accenture, which manages the Starwood database that maintains data for reservations, had announced that its IBM Guardium monitoring system had detected anomalies in that database the day before. For the past two years, a migration has been actively underway to migrate customer data from Starwood’s database to that of the Marriott chain. At that time, however, the Starwood system was still separate from that of the Marriott chain.
The day before, 07/09/2018, a request came from an internal Starwood user of an administrative account on a database to return the number of rows of a table of this database. Such requests are displayed by the monitoring software as they are considered dangerous because the database usually does not need to execute such requests. For this reason, a human would have had to enter the command by hand. However, the owner of the user account had not executed the request, which is why it was known that it was a possible attack.
Forensic specialists were brought in to assist on 10/09/2018. Within a week, malware was found in the Starwood IT system. Investigators have found a RAT (remote access trojan). Such software enables covert access, monitoring and control over a computer.
The CEO had learned about this condition the day after, and the board the day after that. Despite the malware on Starwood systems, there was no evidence of unauthorized access to customer data.
In October 2018, Mimikatz was found on Starwood systems devices. This is an application that can be used to perform penetration tests. It scans the memory of the infected device for usernames and passwords and was probably used to obtain more data from users of Starwood systems. Investigators, however, still found no evidence stolen customer data.
In November 2018, investigators discovered that the attackers had been active on Starwoods IT systems since July 2014. So the attack had been going on for 4 years.
Then, on November 14, 2018, proof of the data leak was found. Two compressed and encrypted files were detected potentially removed from an internal device. These files might have been removed from the system to hide traces.
On November 19, 2018, investigators decrypted the files: one of them contained an export from Starwood’s reservations database, including customer data. The other file contained passport data.
On that day, the leak was published by the hotel chain.
Further reading and references:
https://www.wsj.com/articles/marriott-expects-to-open-1-700-hotels-11552905407 (18.03.2019)
https://www.grc.com/securitynow.htm Episode #705 (03/18/2019)
https://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/ (03/18/2019)