With Marriott International admitting that hackers stole about 500 million records from its Starwood Hotels reservation system, travelers need to be on their guard. The biggest risks centers, according to Crawford, are public places such as hotels, airports, coffee shops, and other hub areas are flooded this holiday season, but most, if not all, look for convenience and forget about internet safety and risk that goes along with that.
To gain an insight about improving security, Digital Journal spoke with Douglas Crawford, data privacy expert at BestVPN.com.
Digital Journal: How did the Marriott attack happen?
Douglas Crawford: Marriott has, so far, declined to publish many details about the attack. What we do know is that on 8 September, Marriott’s internal security tools detected an intrusion into its systems. Further investigation revealed that hackers have compromised a database belonging to Starwood since 2014.
Starwood is a subsidiary hotel chain belonging to Marriott, whose high-profile properties include Westin Hotels & Resorts and Sheraton Hotels & Resorts, including the Sheraton Grand Park Lane and Le Méridien Piccadilly in London, and Sheraton Diana Majestic in Milan.
DJ: Do we know where the attack came from?
Crawford: The short answer is no. We don’t know who is responsible for this attack at the present time, although it is hoped that digital forensics will reveal the culprit to investigators in time.
The global nature and sheer magnitude of the hack, which may affect as many as 500 million people worldwide, has led to speculation that state-level hackers may be involved. The theory is that they might have been able to track the movements of diplomats, politicians, spies, military personnel, and suchlike.
This, however, is pure speculation the culprits are just as likely to be thieves seeking access to credit card details.
DJ: Were Marriott’s systems weak?
Crawford: Marriott has not released enough details to determine if weaknesses in its systems are to blame for the hack, although the incident has already badly damaged its reputation.
Out of date or badly implemented security, on point of sale and reservation systems have been suggested as points of weakness that the attackers might have used to gain entry, but again, this is pure speculation at this time.
It should be remembered that 95 percent of cybersecurity threats are the result of human failure, rather than the technical exploitation of security systems. Of course, the solution to human failure also resides in systems – proper cybersecurity training for staff members, robustly designed digital security regimen, and careful vetting of staff, are at least as important as well implemented and up-to-date technical security.
DJ: What are the implications for those who have been hacked?
Crawford: It is not just the sheer number of people who have been affected by this hack but the amount and sensitivity of the information stolen, that has alarmed experts. The exact information stolen varies from guest to guest, but can include their name, email address, phone number, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation dates, communication preferences, and even card numbers and expiration dates.
Card details were encrypted using AES-128, but Marriott says that it cannot guarantee the two pieces of information needed to decrypt this data were not also stolen by the hackers.
As if that is not bad enough, cybersecurity experts are worried that criminal hackers may be able to combine this information with datasets obtained from other breaches, such as those of Equifax, Target, Ashley Madison, and Yahoo.
This wealth of potentially damaging information has helped fan the flames of theories that “people who are vulnerable from a national security perspective” may have been the targets.
But even if the perpetrators are common criminals, victims of the hack could be wide open to credit card or bank account theft, and even full identity fraud and identity theft.
DJ: Why were Marriott seemingly slow in notifying customers?
Crawford: Marriott was first alerted that there might be a problem on 8th September. It was not until 19th November that investigators were able to decrypt information that the hackers had encrypted, and thereby determine that the stolen data came from the Starwood guest reservation database. It officially announced the data beach the next day.
It therefore seems Marriott went public with the news almost as soon as it itself possessed the full facts of the situation. This is in sharp contrast to the likes of Yahoo, who knew about its 1.5 billion user data breech for around two years before reporting it.
Marriott also needed time to setup guest support options before making its announcement, These include a dedicated call center for concerned customers, sending emails to all affected guests, and offering free enrollment in WebWatcher. This is a service that monitors the internet for signs that users’ stolen data has been abused.
DJ: Are other hotels vulnerable?
Crawford: The Marriott hack simply confirms what should be glaringly obvious by now – that any centralized database can be hacked, and if it is valuable then probably will be at some point.
The number of people affected, the sensitivity of the information stolen, and the fact that the attackers seem to have had regular access to this data for some four years is unprecedented. But the idea that any hotel, or indeed, any database (including sensitive government ones) is immune to hackers is dangerously wishful thinking.
DJ: What can hotels and other travel sites do to achieve better protection?
Crawford: Any organization that holds sensitive information needs to be pro-active at keeping all of its security systems up-to-date cybersecurity advances. But as already noted, this very much includes its personnel systems as well as its technical systems.
After all, there is no point whatsoever in spending millions of dollars on state-of-the-art encrypted servers, if even one authorized staff member uses their cat’s name as their password and then posts pictures of said cat all over their Facebook page!
DJ: Is there anything that customers can do for greater security?
Crawford: To be honest, there isn’t really much customers can do about data stored on third party severs being hacked. Using a password manager so that you can deploy strong, unique passwords on every website and online service you use is good general advice. As is using a VPN whenever connected to a public Wi-Fi network.
But none of these personal security measures that individuals can take will help in situations such as the Marriott hack.