The Marriott’s Starwood guest database breach that occurred at the end of last month affected almost 500 million user data. According to the Marriott investigation report, the possible cause of the breach was the technology platform deployed by Starwood under the name “Valhalla’.
Israel del Rio, the former Senior Vice President of Technology and solutions at Starwood Hotels and Resorts from 2001- 2006, mentioned his take on the guest data breach. He said, “I worked on Valhalla and wrote about Marriott’s decision not to use it moving forward in 2016.”
Israel del Rio’s take on the Marriott breach
In his post, Israel said that the Valhalla system was entirely active in 2009 and all the best practices were followed in the system’s design including firewalls, DMZs, encryption, etc. He said, “The fact is, if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years. It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner.”
Israel highlighted three points in the Marriott report and explained his take on each of it.
500 million guests’ reservation data stolen
The report stated that the data of approximately 500 million guests who made a reservation at Starwood property had been stolen. To this, Israel said, “It is unlikely this system would have had 500 million records, given the practice to remove booking records a number of days after checkout. Even assuming half a million rooms in Starwood’s inventory at 90% occupancy, with average lengths of stay of two days, and up to two years of advance booking, such a database would not exceed 200 million records.”
He said that the only place to trace such huge data is the Data Warehouse, which would contain the booking records for several prior years. This is most likely the area from which the data was stolen.
However, given that some of that data had already been migrated to Marriott, it is hard to say for certain whether the breach occurred in the Starwood system, the Marriott system, or in transit as a result of exposure during the Extract‐Transform‐Load process used during the migration.
An alert from an internal security tool helped Marriott to know about the breach
Marriott’s discovery of the breach was triggered on September 8, 2018, when Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Israel said, “We do not know when such a tool was first used, but what’s most confounding is Marriott’s assurance that the breach first occurred in 2014. If the detection tool was used prior to this September, why hadn’t the breach been detected earlier? And if the tool was not used earlier, how can they be so sure the breach occurred in 2014?”
The stolen data also contained data from 2014, this could be a reason why it was assumed that the breach took place around that time. Also, the Data Warehouse contains booking data going back several years. The Data Warehouse data could have been exposed recently and still show stolen records from 2014.
The exposed data included encrypted payment card numbers and payment card expiration dates
According to Israel, “there are two components needed to decrypt the payment card numbers, and that at this point, Marriott has not been able to rule out the possibility that both were stolen.”
Marriott’s report said there is the possibility that the primary encryption key was also exposed. “It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys”, according to Israel.
Israel said there is a lack of information to actually understand what exactly happened. “It is possible that the Starwood system was in fact breached. Marriott had laid off most of the Starwood technology staff at the end of 2017, and whatever operational or migration issues this might have caused should be evaluated.”
To know more about Israel del Rio’s take on the Marriott breach, visit his blogpost.
Chinese hackers might have caused the Marriott Starwood guest data breach
According to the New York Times report, the Marriott breach was a part of the “Chinese intelligence-gathering effort, that also hacked health insurers and the security clearance files of millions more Americans, according to the two people briefed on the investigation.”
This discovery came out as the Trump administration is planning actions to target China’s trade, cyber and economic policies, within days. The Marriott Starwood guest data breach is not expected to be a part of the indictments against the Chinese hackers.
“But two of the government officials said that it has added urgency to the administration’s crackdown, given that Marriott is the top hotel provider for the American government and military personnel”, according to New York Times.
The Marriott database contains not only credit card information but passport data. But officials on Tuesday said this was a part of an aggressive operation whose main focus was the 2014 hacking into the Office of Personnel Management.
“At the time, the government bureau loosely guarded the detailed forms that Americans fill out to get security clearances — forms that contain financial data; information about spouses, children and past romantic relationships; and any meetings with foreigners. Such information is exactly what the Chinese use to root out spies, recruit intelligence agents and build a rich repository of Americans’ personal data for future targeting. With those details, the Marriott data adds another critical element to the intelligence profile: travel habits.”
James A. Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington said to the Times, “The data can be used to track which Chinese citizens visited the same city, or hotel, as an American intelligence agent who was identified in data taken from the Office of Personnel Management or from American health insurers that document patients’ medical histories and Social Security numbers.”
According to New York Times, “The effort to amass Americans’ personal information so alarmed government officials that in 2016, the Obama administration threatened to block a $14 billion bid by China’s Anbang Insurance Group Co. to acquire Starwood Hotel & Resorts Worldwide, according to one former official familiar with the work of the Committee on Foreign Investments in the United States, a secretive government body that reviews foreign acquisitions.”
Finally, the failed bid cleared the way later that year for Marriott Hotels to acquire Starwood for $13.6 billion, becoming the world’s largest hotel chain.
“The Chinese regard intrusions into hotel chain databases as a standard kind of espionage. So does the United States, which has often seized guest data from foreign hotels.”
To know more about this news in detail, visit The New York Times’ in-depth coverage.