Marriott Data Breach

Marriott Data Breach 2014 - 2018

The incident, which occurred on September 8, 2018, involved a breach that was detected by Accenture's monitoring tool, Guardium, which flagged an unusual database query. It was later determined that unauthorized access to the Starwood Database had taken place in 2014, compromising data from approximately 500 million guests. Marriott issued a statement about the breach on November 30, 2018.

In terms of incident detection and analysis, Guardium, an IBM security product, played a crucial role in triggering the alert. Investigators found evidence of a Remote Access Trojan (RAT) and Mimikatz, a tool for sniffing out username/password combinations. The incident revealed that Trojans were often downloaded from phishing emails.

The incident response involved several steps. First, containment and access control measures were implemented. Legal counsel and industry experts were consulted for the investigation, and third-party investigators were brought in on September 10th. It was discovered that the RAT had been present since September, with unauthorized access dating back to July 2014, confirmed in November.

The eradication and recovery phase included contacting the FBI on October 29th and publicly announcing the incident on November 30th. Marriott disabled all Domain Administrator accounts and updated databases. The incident incurred $28 million in expenses by March 2019, but this was reduced to $1 million thanks to Cyberinsurance coverage.

For guest support, Marriott provided a dedicated website and call center, sent email notifications to affected individuals, offered free WebWatcher enrollment for affected guests, and covered the costs of issuing new passports and credit cards.

Key takeaways from this incident include the importance of defense in depth to prevent long-term undetected attacks, the necessity of keeping encrypted data and keys separate, the significance of system security updates, and the risks associated with third-party relationships. Continuous monitoring and regular scans were emphasized, as was the adoption of an "assume you are compromised" policy. This incident also underscored the crucial nature of investing in cybersecurity and the value of Cybersecurity Insurance in mitigating financial losses.

References:

• https://news.marriott.com/news/2018/11/30/marriott-announces-starwood-guest-reservation-database-security-incident

• https://www.upguard.com/blog/biggest-data-breaches-us

• https://www.csoonline.com/article/567795/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html

• https://starwoodstag.wpengine.com/wp-content/uploads/2019/05/us-en_First-Response.pdf

• https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/Soresnson%20Testimony.pdf