1(630)802-8605 Ravi.das@bn-inc.net

As the week came to a close yesterday, there was one thing news item that kept appearing into the news feed of my Linked In account:  The massive Security breach that occurred at the Marriott hotel chain. Sure, as Cybersecurity professionals, we hear about this everyday almost, and it has become the point now that if nothing happens, then there is something going even further south.

Well, this breach was so massive that it caught the eyes and ears of many people, and all day yesterday, just about every Cybersecurity professional that I know of were writing articles and posts as to what the best course of action one can takes, if you believe that you have been a victim of it.

You may be asking at this point, what is so different about this Security breach versus the others that are constantly happening?  This was one is very massive, probably of the largest ones yet.  For example, there could be up to well over 500,000,000 Marriott customers that could have that their PII (which stands for Personally Identifiable Information) compromised.  But what is even worst yet, is that this particular Security breach was going on for at least four years until it was recently discovered.

The target of the Cyberattacker in this instance was Marriott’s guest reservation system which is known as “Starwood”, and contains all of the PII of customers at literally all of Marriott’s direct hotel chains and even their affiliate and franchise ones as well.  Apparently, the Cyberattacker(s) gained access to this database way back in 2014.  And it was not until officially acknowledged by Marriott until September 8th of this year.

Of course, Marriott has remained silent otherwise about this.  It is not known at this point what specific actions that they have taken to investigate what has happened, other than just making a general statement that an investigation is currently underway.  But they did release the types and kinds of customer PII that may been compromised, and these include the following:

*Name of customer;

*Phone number;

*Date of birth;

*Gender;

*Arrival/departure information;

*Reservation date;

*Communication preferences (such as text, email, phone call, etc);

*Credit card numbers;

*Expiry dates of those various credit cards.

Apparently, the credit card information was at least encrypted to some degree, using the Advanced Encryption Standard encryption (AES-128). On a more technical level, since this Cryptographic system implemented by Marriott is a Public Key Infrastructure (PKI), it takes both a Public Key as well as a Private Key to encrypt and decrypt the credit card information.  Usually the Public Key is accessible to anybody, but it is the Private Key that has to remain secure.

But in this Security breach, somehow, the Cyberattacker(s) it is believed that both have been taken, which remains even a further mystery in of itself.

But this is not the only time that the Marriott hotel chain has been afflicted by a Cyberattack.  Back in 2017, their entire Network Infrastructure was impacted by a Trojan Horse.  Through this, the Cyberattacker was able to create a backdoor in which they could gain access to Marriott’s Cyber Incident Response Team mailbox.

My thoughts on this?

Well, my first reaction, is along with other Cybersecurity professionals is how is it possible that the hacker(s) could remain infiltrate into the IT Infrastructure of Marriott for such a long period of time?  This is what is most mysterious, along with the hijacking of the two Cryptographic keys.  Many professionals are using this instance to highlight the new strategy that the Cyberattacker is taking.

That is, these attack groups take are taking their own sweet time in order to study their particular target(s).  They use this time wisely so that they can find the softest and most vulnerable points, so that they can go in undetected and stay that for a long time.  The only way that they are detected is when all of a sudden, a business or a corporation realizes that most of their customer PII is missing, such as the case of Marriott.

But then at this point, the damage has already been done, and there is very little that anybody can do.  In other words, the Cyberattacker is shifting their strategy from a “Smash and Grab” campaign to a “Dwell Time” campaign. Under Federal Law, the Marriott hotel chain is supposed to report this to the authorities at all levels (including federal, state, and local), but so far it has been reported that they have not even have done this yet.

I could go on my usual rants as to how Marriott should have done this and that, but I won’t.  My first thoughts are going out to the victims.  Probably the best thing you can do now is to call all of your credit card companies and financial institutions, and notify them of the breach.  Also, contact all of the major credit reporting bureaus, and ask them what they should do about freezing your account; and request a copy of your credit report.

Also, in the wake of the massive earthquakes that happened in Alaska just yesterday, be careful of any phone calls, or emails that you get asking for money or for donations.  It is quite likely that your PII that was stolen in the Marriott security breach could be used in Social Engineering attacks here as well.  Also, pay attention to the rewards points you have earned, as this yet another favored target of the Cyber attacker.

But I think that a mockery that Marriott is making here (and even adding more insult to injury) is that they are notifying their customers by email about any updates that are occurring.  So once again, please be careful about any emails that you may get from Marriott.  If you have any doubts, give them a call.

Finally, more information about the Security breach can be found in here, in a statement released by Marriott:

https://marriott.gcs-web.com/news-releases/news-release-details/marriott-announces-starwood-guest-reservation-database-security