Reports on the Marriott guest data breach have suggested the
most probable cause was a result of the technology platform deployed by
Starwood under the name “Valhalla.”
As the senior vice president of technology
solutions at Starwood Hotels & Resorts from 2001 to 2006, I worked on
Valhalla and wrote
about Marriott’s decision not to use it moving forward in 2016.
Subscribe to our newsletter below
While some breaches might be due to architectural or design
weaknesses, most are due to operational or human factor causes.
The Valhalla
system was fully activated in 2009, and my understanding is that all best
practices were followed in its design (firewalls, DMZs, encryption, etc.).
The fact is, if we accept Marriott’s statement that the
breach began in 2014, the system would already have been operating securely for
five years.
It is difficult to imagine how an architectural or platform
vulnerability would not have been discovered or exploited sooner.
Fact vs. fiction
One of the stumbling blocks in trying to determine what
might have occurred is Marriott’s announcement, which is not very detailed.
Some facts are in order:
- Following standard architectures, the Starwood system would consist of multiple databases and
sub‐systems. The most relevant to the discussion are the SPG System with its
SPG members database, the actual reservation system where active bookings are
kept, and a Data Warehouse used for analytical and marketing
purposes.
- It is known that soon after Marriott took control of
Starwood, they began to migrate the Starwood Data Warehouse to Marriott. From a
purely business perspective this makes sense, since one of the most valuable
and rapidly actionable Starwood assets would have been its historical booking
records. Marriott would surely have wanted access to the wealth of Starwood
guest data as soon as possible for its own marketing purposes.
As for what we publicly know, the Marriott announcement
alleges the following:
- That the data security incident involved the Starwood
guest reservation database. Marriott believes information regarding
approximately 500 million guests who had ever made a reservation at a Starwood
property had been stolen.
- That Marriott’s discovery of the breach was triggered on
September 8, 2018, when Marriott received an alert from an internal security
tool regarding an attempt to access the Starwood guest reservation database. Marriott
further announced that they learned during the investigation that there had
been unauthorized access to the Starwood network since 2014.
- That some information included encrypted payment card
numbers and payment card expiration dates. There are two components needed to
decrypt the payment card numbers, and that at this point, Marriott has not been
able to rule out the possibility that both were stolen.
Regarding the first point, Marriott seems to suggest the
breach was made in the reservation system.
However, it is unlikely
this system would have had 500 million records, given the practice to remove
booking records a number of days after checkout.
Even assuming half a million rooms in Starwood’s inventory
at 90% occupancy, with average lengths of stay of two days, and up to two years
of advance booking, such a database would not exceed 200 million
records.
As for the SPG database, it would contain one record from each SPG
member, but not even under the most optimistic scenarios would Starwood have
had 500 million registered SPG guests.
Clues elsewhere
This leaves the Data Warehouse. The Data Warehouse
would contain the booking records for several prior years, and it clearly could
contain 500 million records. This is most likely the area from which the data
was stolen.
However, given that some of that data had already been migrated to
Marriott, it is hard to say for certain whether the breach occurred in the Starwood
system, the Marriott system, or in transit as a result of exposure during the
Extract‐Transform‐Load process used during the migration.
The second point appears to indicate Marriott first detected
the issue back in September of this year (presumably by using a traffic
detection tool).
It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys.
Israel del Rio
We do not know when such a tool was first used, but what’s most
confounding is Marriott’s assurance that the breach first occurred in 2014.
If
the detection tool was used prior to this September, why hadn’t the breach been
detected earlier? And if the tool was not used earlier, how can they be so sure
the breach occurred in 2014?
Some in the media mention that the stolen data contains
bookings from 2014, and this is the reason behind the assumption that the
breach took place at that time.
The Data Warehouse contains booking
data going back several years. The Data Warehouse data could have been exposed
recently and still show stolen records from 2014.
As I mentioned earlier, security breaches can be the result
of the exploitation of platform weaknesses.
These occur most frequently in
smaller companies without the resources to properly design and deploy known
defenses such as firewalls, router configurations, encryption, monitoring or to
staff their operations sufficiently.
Still, most commonly, breaches occur when someone obtains an
administrative password via deceitful means (e.g., phishing attacks), enabling
them to log into the system and install Trojan software to extract data or to
manipulate the system.
This is the method the Russians used to hack into the Democratic National Committee emails, for example.
Inside, outside - blame games
Another manner in which breaches occur is when they are
conducted by internal staff.
This type of inside job is particularly pernicious
because it is often impossible to determine the extent of the exposed
vulnerability.
Marriott’s third point raises eyebrows because they say there is
the possibility that the primary encryption key was also exposed.
It is almost
impossible to imagine a scenario in which an external hacker is able to gain
access to the primary encryption keys.
It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner.
Israel del Rio
In summary, there is clearly a lack of information forthcoming
at this time from Marriott to truly determine what has occurred.
It is possible
that the Starwood system was in fact breached. Marriott had laid off most of
the Starwood technology staff at the end of 2017, and whatever operational or
migration issues this might have caused should be evaluated.
But more information is clearly needed, otherwise we will
continue to see media speculation, such as the idea that China is the culprit,
among other theories and noise.
For now, I hope this article highlights why it
might be too soon to jump to any conclusions.
What is needed instead is an
objective assessment of what happened, regardless of accountabilities.
Finding
out exactly what went on is paramount to ensuring these types of data exposures
do not happen again and to regain the trust and confidence of the guests.