Autopsying the Marriott Data Breach: This is why insurance matters
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Autopsying the Marriott Data Breach: This is why insurance matters

So far, Marriott’s massive 2018 breach has cost it just $3,000,000

Today we’re going to autopsy last year’s Marriott data breach, which affected nearly 400,000,000 guests and looked to be one of the most pervasive breaches in history.

There are a few big takeaways that come with this. And we spoke with a range of security experts to get their opinions on them. We’ll cover what happened, why it happened, who did it, and whether the culprit exonerates Marriott. But first we’re going to start with a quick refresher, followed by the Marriott Data Breach’s total cost – which we were updated on at the start of March.

Let’s hash it out.

The Marriott Data Breach in Five Minutes

By this point, pretty much everyone is at least aware of the Marriott Data Breach, but let’s at least cover the basics before we get into unraveling the ramifications of it all.

For starters, this breach is huge. By some estimates it’s the second biggest of all-time, behind only Yahoo and well ahead of Equifax. The breach actually began in 2014 and wasn’t discovered until September 10th of this year. In the four years between the network being breached and said discovery, “up to approximately 500 million guests” made reservations using the compromised system and now potentially have their personal data compromised.

Things like:

  • Full names
  • Mailing addresses
  • Phone numbers
  • Email Addresses
  • Passport numbers
  • Starwood Preferred Guest account information
  • Birthdates
  • Genders
  • Arrival/Departure

Greg Scott is a cybersecurity researcher and author, one of his biggest issues with the cybersecurity world in general is companies’ reticence to disclose information about breaches and attacks. This occurs for a number of reasons, not the least of which is to protect their reputation, but that tact doesn’t help to improve the security ecosystem.

“As far as I can tell, nobody is talking in public about specifics,” says Scott.  “This is a shame. We can speculate based on other attacks, but until somebody involved speaks up, all we have is speculation. We may never find out what happened. And that’s a huge problem with all these attacks – everyone hides behind, “it’s an ongoing investigation” and so everyone else keeps making the same mistakes.  Every attack I’ve been able to analyze – every single one – was preventable.”

Marriot Data Breach – Total Cost: This Is Why You Need Good Insurance

We knew Marriott had cybersecurity liability insurance from a release it made following the disclosure of its breach. What we did not know at the time is how adequate that coverage would be. Cybersecurity insurance is still developing, with a patchwork of policies from different insurers covering different things.

We actually took a deep dive on Cyber Insurance last year if you’re interested in learning a bit more.

Although we carry cyber/privacy liability insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all losses or all types of claims that may arise in connection with cyber-attacks, security breaches, and other related breaches. Furthermore, in the future such insurance may not be available to us on commercially reasonable terms, or at all.

It’s clear from that statement that even Marriott wasn’t sure how this situation was going to play out with its insurance and it was already preparing itself for a shifting insurance market and the possibility that it would be unable to find coverage in the future.

That concern may have been a bit premature. Because while there has been rampant speculation that this breach will cost billions – speculation based on extrapolated costs from a Ponemon study – so far, the total has been far below that.

At the beginning of March, Marriott released its earnings report for Q4 of 2018, as well as its full-year 2018 report. Buried in its press release, on page five, is mention of the costs incurred so far.

In the 2018 fourth quarter, the company incurred $28 million of expenses and recognized $25 million of insurance proceeds related to the data security incident it disclosed on November 30, 2018.

Admittedly, referring to one of the most massive breaches in history as “the data security incident” is either somewhat ominous or a massive understatement – it’s tough to tell.

Regardless, Marriott appears to have been able to use its existing insurance policy to help mitigate most of the cost. So far. Because there are still potentially regulatory and compliance fines, plus lawsuits. Marriott’s cyber insurance may kick in on some of those, too – but we also don’t know enough about the policy to estimate how much, if at all.

“The attack may point to out of date or badly implemented security on point of sale and reservation systems,” says Ray Walsh, a cybersecurity and VPN expert. “Unfortunately for the Marriott, which now faces a massive class-action lawsuit, it is possible that the hack was performed by infiltrating systems using a phishing attack. Such methods are relatively crude but can lead to infection with sophisticated malware and trojans that permit hackers to download secondary exploits from Command and Control servers. If the past is anything to go by, the consequences for the Marriott will likely be an expensive out of court settlement.”

As we mentioned earlier, the parallel being most commonly made is to the Equifax situation, but that’s not necessarily a 1:1 comparison. Equifax was a credit monitoring agency, one whose data was arguably more lucrative than Marriott’s. That’s not to say that Marriott’s data isn’t valuable – it is. But you could also turn around the Equifax information and either sell it or commit fraud with it more quickly than what would be required with Marriott’s. Part of that can be attributed to the difference in the data that was stolen, and some of it is likely a result of the redundancies in the Marriott database – where the same individuals may have multiple entries across different Marriott brands and properties. There’s also a difference between who was behind the two breaches, which we’ll get to in a moment.

We will continue to update this part of the article as more of the details about the Marriott Data Breach’s cost become available.  

Marriott’s Security Posture Was Likely Poor, But Its Response Was Worse…

Realistically, we’re reaching a point where attacks and breaches are so commonplace that you almost have to resign yourself to the fact that it’s no longer a matter of if – but when. So while maintaining a good security posture is critical, an organization’s response to a cyber attack or breach is equally, if not more important.

“Most of the criticism of Marriott and Starwood has centered around its response to the hack and not that it was compromised in the first place,” says Rob Black, CISSP, and the founder of and managing principal of Fractional CISO. “The fact that it was a state sponsored attack will certainly diminish Marriott’s culpability in many minds. However, regardless of the attacker, Marriott’s detection and response was not ideal.”

Black pointed to a range of issues that became obvious in the days and weeks after Marriott’s disclosure:

  • That it took Marriott 4 years to detect the breach
  • That its due diligence during its acquisition of Starwood didn’t turn this up
  • That it waited months to disclose the breach (November 30) after discovering it in September
  • That it potentially violated the SEC’s reporting timeframes
  • That in all likelihood its security controls were lacking

“When a breach occurs, the executive management team is responsible,” says Black. “Having a response plan in place before the incident allows for the clean up and communication to go much smoother. The incident response plan could be the difference between an executive team being removed when an incident occurs.”

Too Much Trust in Employees – Or Not Enough?

As we mentioned, this attack actually began in 2014 and was carried out over four years before it was finally discovered. As scary as that sounds though, it’s hardly an isolated incident.

“This type of “lying in wait” threat is driving many IT organizations to rethink how they secure their network to combat hackers who are sophisticated and patient to wait for the big payoff,” said Dan Dearing, the Senior Director of Product Management for Pulse Secure. “The new security buzzword that describes how companies can defeat this type of threat is “zero-trust.” Essentially, IT cannot trust anything or anyone inside or outside of their network. Instead, they must deploy security tools that help enable them to always verify who the user is, whether the user is authorized to access the desired application or data, and finally if the user’s laptop or mobile device meets the security standards of the company. Only if all three conditions are met is the user allowed on the network.”

Others, like Grant Elliott, the CEO of the SaaS platform maker, Ostendio, disagree. He thinks employees need to be better informed and trained to identify and respond to digital threats.

Organizations need to stop treating their people as the problem, but rather as the first line of defense. Investments need to be made in better training, better vendor management and data needs to be viewed less in terms of ‘Ownership’ and more around ‘Right of Use’ and ‘Right of Access’. The government can help too by improving incentives, both positive like tax credits for training, and punitive like GDPR and the soon to be introduced CCPA.  

The Marriott Breach Was Likely Caused by Chinese State-Backed Attacker

When the other shoe dropped in the Marriott Data Breach scandal it landed with a sickening thud. The New York Times and the Washington Post quickly reported that Chinese state-backed hackers were likely responsible for the breach.

And if that doesn’t make the hair on the back of your neck stand up a little—it should. This is yet another escalation in a burgeoning cyber war between the world’s foremost powers. The US has already been engaged in a high profile spat with Russia stemming from its interference in the 2016 US Presidential elections.

While nobody was under the impression that the US and China were playing nicely, this shines more light on the conflict than we’ve seen in recent years.

But does that, at least partially, let Marriott off the hook?

Not one bit,” says Greg Scott. “Although execs will surely try to use that as an excuse. State-backed actors don’t have any more creativity than private crooks looking to make money.  [Thought] state backed actors may have more patience and more resources.  Which means potential victim companies need to remain vigilant… Big companies and small companies and everyone else are *already* in the crossfire of a cyber war.  It’s not burgeoning, it’s already here. And it’s not just between the US and China, it’s between everyone who has data, and lots of attackers who want to steal it. Why would anyone be surprised that the enemies of the United States try to steal secrets from US companies? The question we should all ask is, why are our companies *still* so unprepared, even after years of headlines?”

Greg Elliott agrees:

“While it is difficult for any company to protect against a sustained state-owned hack by a foreign government, there is a reason these types of breaches keep occurring. Many US companies are an easy target. Why? The state of corporate cyber-defense in the US is at best, inconsistent, and at worst broadly mediocre..  That is not to say some companies don’t spend a lot of money on security. But often they spend it on buying the latest shiny new cyber -tool, rather than focusing on developing a broad risk-based approach. 

“Security budgets are delegated to the CISO, who often sits within the IT function, meaning solutions tend to be tech rather than people focused. While technology should play a key role in any cyber defense strategy, risk management must come first and in the cloud-based, IOT orientated environment we operate in, no technology can, on its own, ring-fence our data.”

Black, who works closely with CISOs agrees that US companies need to increase their security spend and better train their employees. But he’s much more fatalistic about our current digital reality.

As a society, we should expect that our country’s enemies will use our data and infrastructure to try and undermine the United States and its companies. As a consumer, we should all be prepared for our data to be exposed.

That seems like a nice, cheery note to end on.

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.