Last week, CEO Arne Sorensen issued a statement and provided new details about the leak at Marriott: On November 30, 2018, investigators had discovered that 383 million customer records, 18.5 million passwords, 5.25 million passport numbers, 9.1 million encrypted credit card numbers and 385,000 valid credit card numbers had been stolen. The damage this must have caused may be enormous and there will still be some victims who cannot be compensated. In the month following the announcement, the MAR share price lost more than 12% of its value (down to $100.99).
The share price has now recovered to its current level of 124.96 $ (as at 18.03.2019) and it was announced today that 1,700 new hotels are to be opened by 2021.
This is certainly a fortunate development for Marriott, but the question remains as to what the damage will amount to in figures and whether the approach to the issue of security will continue to intensify in the future or whether this rapid recovery will encourage a dampening mood.
The course of events:
On September 8, 2018, Accenture, which manages the Starwood database in which the data for reservations is maintained, announced that the IBM Guardium monitoring system had detected anomalies in this database the day before. A migration had been actively underway for two years to migrate customer data from Starwood’s database to that of the Marriott chain. At that time, however, the Starwood system was still separate from that of the Marriott chain.
The day before, 07.09.2018, an internal Starwood user of an administrative account sent a request to a database to return the number of rows of a table of this database. Such requests are displayed by the monitoring software as they are classified as dangerous because the database does not usually have to execute such requests. For this reason, a human would have had to enter the command manually. However, the owner of the user account had not executed the query, which is why it was known that this was a possible attack.
On 10.09.2018, forensic experts were brought in to provide support. Within a week, malware was found in the Starwood IT system. The investigators found a RAT (remote access trojan). Such software enables covert access, monitoring and control of a computer.
The CEO found out about this situation the following day, the Board of Directors the day after that. Despite the malware on the Starwood systems, there was no evidence of unauthorized access to customer data.
In October 2018, Mimikatz was found on Starwood systems devices. This is an application that can be used to carry out penetration tests. It searches the memory of the infected device for usernames and passwords and was probably used to obtain further data from users of the Starwood systems. However, investigators have still not found any evidence of stolen customer data.
In November 2018, investigators discovered that the attackers had been active on the Starwoods IT systems since July 2014. The attack had therefore been going on for 4 years.
On November 14, 2018, proof of the data leak was found. Two compressed and encrypted files were discovered that had potentially been removed from an internal device. These files may have been removed from the system to conceal traces.
On November 19, 2018, the investigators decrypted the files: One of these files contained an export from the Starwood database for reservations, including customer data. The other file contained passport data.
On that day, the leak was made public by the hotel chain.
Further reading and references:
https://www.wsj.com/articles/marriott-expects-to-open-1-700-hotels-11552905407 (18.03.2019)
https://www.grc.com/securitynow.htm Episode #705 (18.03.2019)
https://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/ (18.03.2019)