Marriott Breach: Advanced Technology Could Lower Risk

Two massive data breaches reported within the past week are likely to have massive repercussions for both the companies involved and those whose personal information has been stolen.

Marriott last week confirmed the personal information of up to 500 million guests may have been stolen after its reservations database was hacked, and information sharing website Quora announced a data breach that exposed about 100 million users’ personal data.

Sophos’ Erin Malone

Erin Malone, Sophos‘ vice president of sales in North America and Sophos’ Partner Advisory Council leader, tells us Marriott’s data breach has put more than consumers’ data at risk. Sensitive corporate data belonging to business travelers now is also at risk or used for other nefarious activity by cybercriminals, such as gaining access into company networks or to launch lucrative phishing campaigns, she said.

“The potential consequences of this breach should serve as a reminder that even with the best security practices, businesses of all sizes are still vulnerable to data breaches through employee and third-party breaches,” she said. “As such, partners need to be working with all of their customers to ensure they have comprehensive, layered security solutions in place to prevent advanced threats from exposing customer records and detailed personal or employee information.”

Daryl Crockett, president and CEO of ValidDatum, which provides data-related project management and services, including data privacy and security, and General Data Protection Regulation (GDPR) compliance, tells us most companies are securing their data with encryption technology, monitoring for repeated log-in attempts and using some sort of role-based permissions, and second- and third-party authentication for mobile users.

ValidDatum’s Daryl Crockett

“But what they fail to do and what they really need to start doing is not keeping data in mass chunks on their systems,” she said. “They need to use a technique called tokenization or micro-tokenization. That takes the data, the very personal parts of the data, and swaps it out for a token, and it takes that real data and it puts someplace else, it encrypts it there and then shreds it and spreads it over a number of places. So when the crooks go into these databases, what they’ll find is data that’s not there, that they can’t read, that’s not real data.”

And when the data is needed, it’s essentially one transaction at a time, Crockett said.

“When somebody logs in and they want  to come to the front desk, that single record gets pulled up, it gets swapped back for the real data, and that single record is exposed while they’re going through the transaction to log in or make a reservation, or check in at the front desk,” she said. “And then as soon as they are done with that transaction, it goes back through, gets re-tokenized with a different token number and off that data goes. That’s what businesses have to start doing and it is overwhelming.”

Businesses that are building their software and systems with data privacy and data security from the beginning are not going to have this problem, Crockett said. But legacy businesses like Marriott have to go through this retooling process, she said.

“They’re not thinking about going through and doing it the right way, they’re just trying to put locks on the front door in hopes that nobody drops through the ceiling or sneaks in, or maybe an employee that gets access to these large data banks,” Crockett said. “So that’s really what’s ahead and that’s really the most secure way, and I really do believe you’re going to start to see companies bite the bullet and realize they have to make these fundamental changes, and start to really not secure the data, but obscure the data.”

Egress Software Technologies’ Tony Pepper

Tony Pepper, CEO of Egress Software Technologies, tells us the Marriott breach “clearly enters and surpasses the mega breach parameter,” and using figures from Ponemon Institute’s Cost of a Data Breach study, these types of breaches are projected to cost companies $40 million to $350 million.

“Cybersecurity is continuously evolving — as defenses get more sophisticated, so do the attacks to get around them (and vice versa),” he said. “This double-edged sword is both a challenge and an opportunity to the security community. It means that we need to be constantly innovating and looking to emerging technologies to enhance defenses, but at the same time, by being constantly on the front foot, we can thwart would-be attackers.”

The Marriott breach shows that there’s still work to do to improve cybersecurity, including at a global enterprise level, Pepper said. This requires both MSSPs and cybersecurity providers to take a holistic view of a organization’s defenses, including policies, training and technologies, to “ensure their defenses are robust,” he said.

What’s more, should the worst ever happen and a successful attack takes place, the right systems should be in place to quickly detect and mitigate a breach to render any information unusable to a cybercriminal, he said.

“Cybersecurity providers and their MSSP partners can always do more to help organizations protect their sensitive data — because if we stop innovating, then it won’t be long for cybercriminals to bypass defenses,” he said. “Looking at the Marriott breach, where the attacker had access to the Starwood database since 2014, more needed to be done to detect areas of weakness, especially for systems that contain such incredibly high volumes of personally identifiable information (PII). Providers and MSSPs then need to recommend solutions that can secure this data based on leading-edge technologies that can defend against attacks.” 

The Marriott breach is going to lead to fines and “amazingly huge lawsuits, and that’s probably going to lead to a lot of people with Marriott losing their jobs,” Crockett said.

“And frankly, customers are probably going to change to, at least temporarily, using another competitor that they think is doing a better job of protecting their data,” she said. “These are the real-world dangers now that companies must endure.”