Starwood/Marriott and Quora Breaches
Nicole Perlroth et al. (Hacker News):
The hotel chain asked guests checking in for a treasure trove of personal information: credit cards, addresses and sometimes passport numbers. On Friday, consumers learned the risk. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the personal data of up to 500 million guests.
The assault started as far back as 2014, and was one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected three billion user accounts and larger than a 2017 episode involving the credit bureau Equifax.
Marriott (via Dave Kennedy):
For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.
Generally, business executives don’t know what questions to ask to make sure this doesn’t happen. But worse, most professional software developers don’t either.
The best way to prevent data from being leaked is to not store it.
Think about it: a breach of tens- or hundreds-of-millions of individuals’ extremely private information — including, in this case, passport numbers and hashes of credit card numbers — couldn’t happen if the system were designed to purge this information at the earliest possible chance.
Today’s news about the Marriott breach should finally drive home a lesson that has been missed for years now: “we’ve been doing what every other big company does” means you are insecure and have to change your ways, because the median large company has terrible security.
The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.
Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.
However, this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data.
But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the most important principle in cybersecurity defense that applies to both corporations and consumers: Assume you are compromised.
[…]
This involves not only focusing on breach prevention, but at least equally on intrusion detection and response. It starts with the assumption that failing to respond quickly when an adversary gains an initial foothold is like allowing a tiny cancer cell to metastasize into a much bigger illness that — left undetected for days, months or years — can cost the entire organism dearly.
The companies with the most clueful leaders are paying threat hunters to look for signs of new intrusions. They’re reshuffling the organizational chart so that people in charge of security report to the board, the CEO, and/or chief risk officer — anyone but the Chief Technology Officer.
Adam D’Angelo (via Troy Hunt):
For approximately 100 million Quora users, the following information may have been compromised:
- Account information, e.g. name, email address, encrypted (hashed) password, data imported from linked networks when authorized by users
- Public content and actions, e.g. questions, answers, comments, upvotes
- Non-public content and actions, e.g. answer requests, downvotes, direct messages (note that a low percentage of Quora users have sent or received such messages)
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.
However, I want to give kudos to Quora on three fronts.
Update (2018-12-19): Bruce Schneier:
The New York Times and Reuters are reporting that China was behind the recent hack of Marriott Hotels. Note that this is still uncomfirmed, but interesting if it is true.
See also: Hacker News.
Update (2019-03-12): Catalin Cimpanu (via Hacker News):
Marriott International CEO Arne Sorenson testified in front of a US Senate subcommittee yesterday, revealing new details about a security breach the hotel chain disclosed last year.
Speaking in front of the Senate Committee on Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations, Sorenson apologized to the company’s customers but also shot down rumors that China was behind the hack.
Update (2024-05-03): See also: Bruce Schneier (2020).
Evan Schuman (2024, via Hacker News):
For more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach.
In fact, it hadn’t been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption.
1 Comment RSS · Twitter
I agree with Nick Heer, seems like Quora handled this breach quite well all things considered.
Marriott? Not so much. Man.