Marriott Was Hacked -- Again

Marriott announced another data breach, this one affecting 5.2 million people:

At this point, we believe that the following information may have been involved, although not all of this information was present for every guest involved:

  • Contact Details (e.g., name, mailing address, email address, and phone number)
  • Loyalty Account Information (e.g., account number and points balance, but not passwords)
  • Additional Personal Details (e.g., company, gender, and birthday day and month)
  • Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
  • Preferences (e.g., stay/room preferences and language preference)

This isn't nearly as bad as the 2014 Marriott breach -- made public in 2018 -- which was the work of the Chinese government. But it does call into question whether Marriott is taking security seriously at all. It would be nice if there were a government regulatory body that could investigate and hold the company accountable.

Tags: , , , ,

Posted on April 2, 2020 at 11:33 AM • 18 Comments

Comments

uh, MikeApril 2, 2020 12:33 PM

Bruce, asking the government to enforce security is preposterous.
One, they're bad at security.
Two, they want to spy on us.

Tim BradshawApril 2, 2020 1:26 PM

Here in the UK we have a government who think it's just fine to use Zoom for cabinet meetings, when Zoom turns out not to be end-to-end encrypted at all. I fully suspect that the UK's nuclear launch codes are kept in a world-writable Google docs file entitled 'super-secret nuclear launch codes!!!', because what could go wrong with that?

I wouldn't trust them to organise a body competent to regulate the security of a cat.

Perhaps the US government are vastly more competent. Perhaps.

A dubious personApril 2, 2020 4:13 PM

> It would be nice if there were a government regulatory body that could
> investigate and hold the company accountable.

Yeah, that sure would be nice, wouldn't it? Unfortunately the obvious candidate for that is the FTC, so I figure I'll be flying around in my third-generation personal aircar before we proles see any progress made against the big data cargo cultists.

(Thanks much for using the subjunctive there, btw. It's those little things that so many people just can't seem to be bothered with that make all the difference to me.)

eggs over easyApril 2, 2020 4:25 PM

I'm currently laid off from a Marriott property because of "you know what". My secondary job at our hotel is all things tech and IT related. When I started over 10 years ago pretty much everything was in house.

The reservation system system we use is what I call a multi moat system and to do most anything requires privileged access, security and firewall apps, alligators, calls to tech support again, so I doubt that is the source of the breach. Other initiatives such as encrypted cc machines were in well before say the Home Depot issues, and on the whole I think Marriott does take security seriously but, but.

Those who are on the Branding and customer service and satisfaction side may have of late a greater influence. There is a system in place called GXP (Guest Experience Platform), this is what first came to mind after reading the Marriott Statement, and the app is part of the SALESFORCE universe, a third party! It seems this was less a hack job, but that the app has/had a vulnerability that a couple of folks stumbled on and took advantage of.

I'll let others add to or correct as needed.

Mayra CortesApril 2, 2020 7:48 PM

Hey, Well that is too much of the personal information hacked from a 5-star hotel chain. I don't know how these people are going to fix the problem of a security breach. why don't they take the help of some government organization and catch the culprits or these hidden organizations who hack want to spy on us?

ThatguyApril 3, 2020 5:29 AM

In my honest opinion as a millennial working in the cybersecurity field, and having a good idea regarding the sophistication, relentlessness and creativity of attackers. Enough is enough. Maybe it's just the stress of quarantine taking its toll on me, however, when are we going to acknowledge that almost no one has a grasp on securing their systems and networks? We are trying to create ingenious workarounds and new ways to mitigate and layer defensive measures and automate incident response, on top of an inherently non-secure protocols. Whether a network intrusion originates from a zero-day, misconfiguration, unpatched systems, unsecured IoT's or printers, the network phone system, vending machines that take credit cards, a 65-year-old secretary that clicked on a phishing email, an infected media someone plugged in somewhere, and even a rookie system admin forgetting to save settings after configuring the firewall. Even though these are all separate non-related issues, and we will yell at the 65-year-old secretary. Re-educate her for the 100th time to analyze headers and check the file hash on VirusTotal and mxtools if in doubt, and stop being a Noob. Today's networks, servers, domains, are too convoluted with constantly changing variables in terms of options and features, configurations, devices, models, patch iterations, programs, etc. What do Marriot, Target, HomeDepot, Equifax, and WaWa have in common?... None of them are tech companies. They are in the business of renting hotel rooms, selling lumber and tools, and logging credit scores. Not to invest untold millions into a comprehensive IT security solution, 24/7 SoC, expert security staff (if you can even find them), and other latest and greatest security mechanisms. Not to mention the cost of training staff on how to be secure. This puts an undue financial burden on the thousands of other small businesses, hospitals, and municipalities already struggling.

According to selfkey.org "State of the breach January 2020: AT LEAST 7.9 billion records, including credit card numbers, home addresses, phone numbers, and other highly sensitive information, have been exposed through data breaches since 2019."

This is a critical problem that will only be getting worse. It's out of control. I don't have a solution in mind, aside from a complete redesign from the ground up on protocols, chips, operating systems with security as the primary mechanism. We may have to get the government involved to require certain standards to be met via some sort of security framework. Simply put, the status quo is not an acceptable way forward.

PhaeteApril 3, 2020 6:08 AM

But it does call into question whether Marriott is taking security seriously at all.

It's not needed to take security seriously nowadays.
You just need to look like you are taking it serious, make empty statement about "Our Goal" "Our Dedication" or "We Focus on" etc.
There is very little to no chance someone can disprove those.

Furthermore, The average now is one breach per X years, so most companies can afford a leak, it almost has become the new norm that it is allowed as long as it is properly spun.

No surely not, it was not one of our employees that had local admin rights and got a nasty while surfing some korean manga sites on company time.

We were hit by a nation state malware assault, we were targeted because we are such a successful company, our government needs to protect us against these foreign attacks. They want to take away our 'freedom'....etc

And no need for that many nerds in our company, they don't fit that well, some slick PR dude is much better company.

FrostySoldierApril 3, 2020 8:26 AM

@Thatguy

Whilst the idea of a "from the ground up" redesign of everything from our chips to our protocols and operating systems may seem superficially attractive, it's not practical. The cost is prohibitive, it would either breaks backwards compatibility(requiring everything to be rewritten) or fail to achieve it's security goals because it leaves the "continue as you were" option open, and it takes a load of stuff that's been pounded on for decades by researchers and replaces it with brand new untested stuff that will likely be just a full of bugs.

Instead I'd encourage companies to take measures such as:
- Resist the temptation to collect data they don't need in the first place, or to retain data "in case they need it later". Data is often an asset, but its always a liability
- Look at measures that isolate external email and web browsing from other systems
- Use sensible hygiene measures like least privilege, rapid patch rollout etc

Clive RobinsonApril 3, 2020 11:25 AM

@ ThatGuy,

however, when are we going to acknowledge that almost no one has a grasp on securing their systems and networks?

Let me think, well over a decade ago for me and quite a few of the regulars back then, most of whom have drifted away from this blog for one reason or another.

My thinking started more or less as yours does now,

This is a critical problem that will only be getting worse. It's out of control. I don't have a solution in mind, aside from a complete redesign from the ground up on protocols, chips, operating systems with security as the primary mechanism. We may have to get the government involved to require certain standards to be met via some sort of security framework. Simply put, the status quo is not an acceptable way forward.

The first thing you have to realise is a "top down" approach to security does not work for a whole heap of reasons. It's why despite of over three decades of "formal methods" being used the resulting systems are always vulnerable to "bottom up attacks". Put simply if I control the memory layer in the computing stack, every preventative scheme you put in place above the memory layer ends up being dependent on the memory in some way, thus it's under my control. In effect the attack "bubbles up" through the computing stack like bubbles in a champagne flute. The tinyiest of totaly imperceptible flaws gives rise to a bubble of ever increasing attack surface that bursts through at the user level.

But the same applies from even further down the computing stack. That is if I know how to play games with the low level device physics down at the quantum level I too can have a "bubbling up attack" that grows at every level giving me control on each successive layer up the computing layer. What realy scares the likes of the Dept of Defence, is that it does not stop at the user interface level, like all propaganda it can rise up through those in the chain of command and cause all sorts of problems (see "The Man who never was"[1]).

There is no way to stop a bubbling up attack in a conventional computer architecture stack. Because the computer tells you what it has been told to tell you, and you have no way to see this from the user level in the stack.

Thus you only have two ways to go.

1, Mittigation by segregation.
2, Addopting a different architecture.

The simplest solution is the first, if there is no connection by which an attacker can communicate with your system then they cannot attack it.

For a very basic physics perspective, 'for communications to happen "work must be done"'. The more formal definition of work is "Energy over time" and time can be measured as the reciprocal of bandwidth. Thus TEMPEST and EmSec fundementaly work on limiting "energy and bandwidth".

That is the less you have of either or both "energy" or "bandwidth" in the Shannon Channel then the less work you can do through that Shannon Channel. I've discussed both EmSeg segregation and bandwidth and "Energy Gapping" at length on this blog over the years, and the things you need to deny to the adversary. These are the freedoms of "time" as jitter, phase, bandwidth and "energy" in all it's forms be it transported by radiation, conduction, convection, or piggy backed on some physical medium. Also the less realised use of energy converters more normally called "transducers", especially those with nonlinear behaviour.

However "Energy Gapping" has a problem not only does it keep the bad guys and their bad information out, it also keeps the good guys and their good information out. I guess it kind of goes without saying that no matter how fast, efficient, or powerfull a computer is, it's just spinning it's cycles if it has no information to process. Thus you need some kind of "gap crossing" mechanisum that acts as a "choke point" to let only good information in and squeeze out bad information.

The problem is that information is like "feed stock" in a factory, it's generally agnostic to the use the factory is going to put it too. Just like the "tools" in the factory that work upon the information. Thus you have to be able to tell if,

1A, Information is good or bad.
1B, It's use is good or bad.

In both cases "good or bad" is a human concept within any given context, which are "human views of the world". That is computers have no notion of "good, bad, and context" all they have are "rules, data sources and data sinks". It's the job of humans to map the human "good, bad, and context" into the computers rules. And it is this we realy realy suck at for various reasons. One of the biggest is "commercial imperative" which gives rise to amongst other things "technical debt". Basically because of it over 99.9% of code realy is, not only "not fit for the intended purpose" it's also "not secure by any reasonable measure". For instance back last century Microsoft DOS was "user mode only" they went through several itterations of Windows and even with an OS that had both "user and kernel modes" (NT) they kept Windows through out in "user mode"... It was only in this century they started to move bits of Win32 into kernel mode. By then so much technical debt had built up, that for "backwards compatability" reasons large sections of Win32 still run in "user mode". As it's not that difficult to abuse the Shannon channel passing mechanisms between user and kernel modes to get privilege escalation it's unsuprisingly a significant security issue... Microsoft have know about this for decades and have not done anything about it untill being "embarrassed" into doing so...

So trying to tell good from bad across any Shannon channel is probabilistic as is trying to determine context. So security by energy gapping whilst it is a good mitigation, the transportation of information in or out which requires a Shannon Channel in each case is at best "hit or miss".

The Shannon channel problems exists with all architectures of all sizes, including the basic "perimiter security model" which is the fundimental of just about all commercial security offerings at some point.

Which means you have to look at option two of an altered architectur.

I did this and came up with some interesting measures, however it was not pipular with some who wanted to stick with the beoken computing model we currently use, which as I've pointed out above can not be secure...

Sometimes I wonder if people realy want security, and then I read a report that says what the market size of the computer security market is, I think yet again 'there is two much "future money" in securiry solutions' that many will see improving security as "breaking their rice bowl".

And that's the rub, "commercial imperative" has created so many flaws it should not have, it's actually created a lucrative "faux market" that expands in different ways every day. It's become like the hydra of myth, you cut off one head only for another two to appear in it's place...

[1] The book tells the story of the WWII disinformation operation called "Mincemeat" which amoungst other things stopped the Germans effectively deploying troops and armour in Sothern Europe. Similar operations to create a fake "Patton's Army" in Kent via the "Twenty Committee" (from Roman numerals XX which is also a "double cross") did the same for D-Day and for several days thereafter enabling a beachhead to be established and the Invasion of Europe to start in the West of Europe and bring about the end of WWII.

Clive RobinsonApril 3, 2020 12:40 PM

@ Phaete,

We were hit by a nation state malware assault, we were targeted because we are such a successful company

There is a smidgen of truth in this for most companies that get hit.

There is a story about Willy Sutton being asked why he robbed banks. Hi reply applies equally as well for it security and it was,

    That's where the money is

In this case it's "that's where the data is" that the attackers might have plans for monetizing, or turn into other perceived value (think Office of Personnel Managment for a non money "value").

There were two things that reduced bank robbery,

1, Banks tried to have as little available to steal as possible.

2, Inflation rendered the purchase value of money down to the point that you physically could not steal much value.

The first is an object security lesson for companies holding records,

    The less records you have the less of a target you are.

But the inflation point is also a slightly subtler lesson,

    The less values the records have the less of a target you are.

There are several ways to make records that might still be of value to you, but of near zero value to anyone else.

The problem is the "Money left on the table" attitude. There are many that believe that the more data you have the more each record in that data is worth. Thus not collecting every bit of data you can is the same as "leaving money on the table".

The problem is data only has value to others if they can make a peofit on analysing it. The thing is most data analysis actually costs more in real terms than the percieved value of the analysed results, but it becomes an "Emperor's New Cloths" problem. Somebody has spun a yarn that is of supposed fabulous wealth that can be obtained, to get the money to get the project up and running. Often as not if they are smart they are nolonger around when the time comes for the whole cloth to be produced. Thus those remaining dare not tell the Emperor that not only is it worthless it's transparently so...

I've mentioned this little trick before, as the person who starts the project you realy do not want to take any risk yourself. So about one third of the way into the project you use it to get a job at another employer using it as an example of your vision / leadership / foresight / etc, basically you can say what you like to put polish on the turd. By the time the project is two thirds of the way through, you either have your feet firmly under the table at a new job with minimal personal risk, or you are doing the same thing again and jumping ship. When the project finishes if it's a success you can claim it as your success for setting the foundations and vision on which lesser mortals built. If it's a failure you say more or less the same thing but the failure all belongs to those mortals who did not follow your plan... It's almost certain they did not follow your plan because if it is a "crock of 5hite" which it probably always was, those stuck on the project you left behind will know by two thirds of the way in and will be all hands to the pump trying to keep the ship afloat... Either way you win and it makes your C.V. Shine...

But the chances are good you get a "Brucey Bonus"[1] if the project is a failure, it won't get talked about as being so for quite some time after the project finishes, and more than likely it will not get spoken of as a failure for obvious reasons. What will happen is it will get "swept under the carpet" somehow, most likely by "amalgamating it into a new project"... Worse someone who does not think will almost certainly "pick over the carcus" for choice bits to reuse, so the rot goes on pushing up an ever larger pile of technical debt as it goes... And people ask why "so many big projects fail" the reality is rather more as a percentage of small projects fail --about 9 in 10-- only with small projects hanging the body up in a cupboard untill it becomes a skeleton is oh so much easier...

[1] Despite what you might read on the Internet a "Brucey Bonus" is originaly a catch phrase of Bruce Forsyth on an English telivison Game show going back into atleast the 1980's.

La AbejaApril 3, 2020 1:31 PM

@Thatguy

millennial working in the cybersecurity field, ... a 65-year-old secretary ... clicked on a phishing email,

@FrostySoldier

sensible hygiene measures like least privilege, rapid patch rollout etc.

There's an old lady, some guy wants a pretty nurse rather than an old secretary, and there are a whole crew of bosses, authorities, military commanders, and police officers ordering everyone around, and we're starting to get the picture they just want us in Leavenworth or Gitmo no matter what.

That's generally the main issue of "privileges" vs "rights" which none of us really have in the U.S. anymore. And no, they are not going to let us have our rights back after the war, not even if we fight the war and win the war.

TPTB in effect have declared war on us the people.

PhaeteApril 3, 2020 3:40 PM

@Clive

There is a smidgen of truth in this for most companies that get hit.

I agree, there is truth in my sarcastic remark.
It is however a phrase that lost its meaning because it is said at 90% of all breaches (the ones with spin PR).
Its said because it is accepted and expected.
Kind of the americans saying "How are you" when they mean "Hello".
They are not really expecting a reply about how you really are, but are expecting just a murmur of acknowledgement so they can continue their conversation or their way.

And we are forcing the companies into these spinstories, we expected the fluff, we don't want just boring fact and moderated hope (most won't even stand for it and publicly critise those)

Clive RobinsonApril 3, 2020 4:43 PM

@ Phaete,

It is however a phrase that lost its meaning because it is said at 90% of all breaches (the ones with spin PR).

Sadly much as I would like otherwise that is the way of the world. It is in part due to the US legal system we get these "formulaic statments". Basicallybthey have been "pre approved by legal" that tells you something even more horrific,

    Most companies know they are going to be cyber-breached real soon and that PPI in the million up will be taken. So rather than reduce the risk they get legal and PR to prepare statments...

That is what the world has become, no one taking responsability and every one reaching for a lawyer.

A friend not to long ago set up a small manufacturing business in the US... There are as many lawyers on the payroll as there are other office staff... Admittedly one is also an accountant as well and specialises in what you might call "running cost minimization". Another is an IntProp specialist that is a later in life second string to their bow as being an engineer.

But even so that's a heck of a lot of legal muscle for a company that just makes agricultural and land scaping machines...

NinjamamaApril 3, 2020 4:47 PM

I find it funny that they offer a free year of Experian protection as a compensating control. Talk about a fox watching the henhouse

La AbejaApril 3, 2020 5:40 PM

@Ninjamama

henhouse

That's an apt description of any ***** hotel chain.

Looking for longer-term housing, but everything in town is rented out by the night with bed linens, breakfast and service of legal process.

I'm poor, and I have to pay $$$$$ price for a whole multitude of * services that I don't want or need.

My monthly housing budget only covers a week in any of these areas, laundry not included, if I had $20 for an extra roll of quarters every week and somebody didn't steal it from me and serve me off the property of the laundromat with a criminal trespass warrant after seizing all my laundry, and taking my computer, cellphone, driver's license and other effects on a personal property confiscation warrant and putting me in prison on some other warrant for someone else's name.

Experian

They don't really help. The dumb-ass Democrat doctors who kept me involuntarily and revoked my gun rights for the rest of my life are still trying to collect on unpaid medical bills which I allegedly owe. By and by they're going to prison for medical billing fraud, of course, but that's too little too late to help me in this life.

The cops, judges, street ladies and lawyers have got to pay their debts to society for destroying my life and the lives of so many others without cause, too. They've got to to go to prison. They can't be allowed to ruin our lives for us and make all our decisions for us on our behalf.

Those working girl community women will have to be thoroughly punished — in equal measure to the men — in order to disabuse them of such notions of inordinate command, authority, and abuse of power.

ThatguyApril 3, 2020 7:22 PM

@Clive

Thanks for your detailed reply. You have a much deeper knowledge and understanding regarding the totality of the situation than I do. You operate on a different level than my current understanding and skill level. I suppose I am just expressing frustration at what I see coming down the road in the immediate future. The economic ramifications of the coronavirus/quarantines relative to business' network security. From my perspective.... "Winter is coming."

Clive RobinsonApril 4, 2020 4:50 AM

@ ,

I suppose I am just expressing frustration at what I see coming down the road in the immediate future.

As I was some thirty years ago.

My advantage if you like is that I've been thinking about it longer than most others. Not because my crystal ball is any bigger and shinier, but because I was in at the start of it security wise. Being an engineer I was an "old school hacker" of the original MIT Model Railway Club type back in the late 1970's. I designed computers at all levels thus I got to see a lot.

But even years before that as a pre-schooler I was insanely curious about the world and the way mechanics worked, thus as the most complicated mechanical things I was aloud near was locks. So I learnt to pick them out of curiosity. As a teen I'd moved onto elrctronics and Pirate Radio, which got me into computers before "home computing" came about. So I was kind of "Born into the harness" as it were.

I'm still intensely curious as to why things fail, and how to improve them and what goes into the failure. The "human" problems I've seen since being a teen have nearly all been "security" in one way or another, so I guess I've developed what our host @Bruce calls "thinking hinky", you never know their might be a gene for it ;-)

Sadly what was easy for me because the world was not realy technically complicated in the 1950's through 80's and thus you could self learn, and walk into a good job has changed. Technology wise we have become insanely technically complicated, for realy no practical reason. Thus there are few paths into the "gnarly forrest" other than via software, and that has become way way more complex, convoluted and complicated than it ever needed to be.

That is software has developed serious quasi-religious behaviours with a lot of complexity for show and mysticism, just to keep the unknowing out. In essence it's become almost a branch of well known cult behaviours, where large amounts of money are sort by cult worthies for what is basically worthless knowledge, that will change as fast as a writhing snake to keep the money flowing and the worthies in the top of the hierarchy (think pyramid selling).

One sure sign things are going bad is when a practitioner in the art, can not make the tools they need before they starve. I know very few people these days who have actually built their own tool chain from physically making a computer and programing it first by diodes and switches all the way up to a functional interpreter / compiler, it's what you did in the 1970's and early 80's and even though it was a right royal pain to do so it was how home computing started and you learnt a lot of foundation material along the way that you don't even get taught these days. It also gave you insight into how security works or does not work at the lowest levels

My advice as always is "be eternally curious and live to learn". Because at the end of the day it's knowledge above physical skill or prowess that makes you a master of an art. Even in sport, this is true, it's our ability to see, recognise and learn from our observations that keeps us ahead of the competition, and always will do. Irrespective of the tools made by others we may have or may not have to hand. Tools function, animals react, but only humans realy predict past the next meal or two.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

← Dark Web Hosting Provider Hacked Bug Bounty Programs Are Being Used to Buy Silence →

Sidebar photo of Bruce Schneier by Joe MacInnis.