Attack Case Study

Marriott Data Breach: 2018

By S.A.
 Description of the Attack Category to teach the
reviewer about the attack: Phishing is an example of a
social engineering attack that is commonly utilized to steal user data.
This user data may include login credentials, credit card numbers and
other sensitive information. How it works is that an attacker, who
masquerades as a trusted entity, dupes a victim into opening an email
(an e-mail that seems normal), instant message, or text message. The
Attack recipient may then be tricked into clicking a malicious link, opening a
malicious attachment, or asked to fill out a fraudulent data-entry

Category: forms. Going forward with any of these actions could lead to the
installation of malware on the victim’s computer, the freezing of the
system as part of a ransomware attack or the revealing of sensitive
information.

Phishing A statistic about the type of the attack or about

the case study company’s industry:

A 2020 annual internet crime report, released by the FBI, reveals that
phishing was the most common type of cybercrime in 2020—and
phishing incidents nearly doubled in frequency, from 114,702
incidents in 2019, to 241,324 incidents in 2020.
The FBI said there were more than 11 times as many phishing
complaints in 2020 compared to 2016.



Company description: Marriott International was founded in 1927 by John Williard Marriott
and is headquartered in Bethesda, Maryland. It is a multinational company that manages and
licenses various types of lodging worldwide. Marriott has 30 brands (including the Ritz-Carlton and
St. Regis luxury brands), with over 7,000 properties in over 130 countries. Marriott’s 2016
acquisition of Starwood Hotels & Resorts made it the largest lodging company in the world.

As of 2020, the company employs over 120,000 people and is still highly regarded within the
hospitality industry.

Summary of the security incident and data breach: In early September of 2018,
there was an attempt made to access the internal guest reservation database for Marriott’s Starwood
brands. An internal security tool flagged the attempt as suspicious. Because of this attempt, an
internal investigation was conducted and determined that the Starwood Network was compromised
back in 2014. Even though Starwood was acquired in 2016, the former Starwood hotels were
utilizing their old IT infrastructure and not the Marriott reservation system. The investigation
discovered that attackers managed to obtain information from up to 500 million guest records. Those
records included credit card information and passport numbers.

Marriott investigators discovered a Remote Access Trojan(RAT) on the Starwood IT systems. A

month after that discovery, a penetration-testing tools called MimiKatz was discovered. Even with
cybersecurity insurance, the breach will be costing Marriott billions of dollars.

 Sometime in 2014 — back when Starwood had been a separate company- the
Starwood network had been compromised. It is believed that the initial
1
compromise was due to a phishing attack.

In 2016, Marriott International acquired Starwood Hotels & Resorts and thus
2 making Marriott International the largest lodging company in the world.

September 8, 2018, an internal security tool flagged as suspicious an attempt to

access the internal guest reservation database for Marriott's Starwood brands,
Timeline 3
which include the Westin, Sheraton, St. Regis, and W hotels.
2018 Marriott Data Breach An internal investigation discovered a Remote Access Trojan(RAT) on the
4 Starwood systems. A month after that discovery, a penetration-testing tools called
MimiKatz was also discovered.
Marriott releases a statement to the public on Nov 30, 2018, outlining the breach to the
5 general public. They revealed that the attackers had encrypted and attempted to remove from
the Starwood systems, information from up to 500 million guest records.
By December 2018, the US Government blamed hackers employed by Chinese
6 intelligence services. They say that the code and attack patterns used match up
with techniques employed by state-sponsored Chinese hackers.

Vulnerabilities
Overall Summary:
In early September of 2018,
there was an attempt made
to access the internal guest
reservation database for
Marriott’s Starwood brands.
An internal investigation
was conducted and
determined that the
Starwood Network was
compromised as far back as
2014. A Remote Access
Trojan(RAT) and a
penetration-testing tool
called MimiKatz was
discovered. Information
from up to 500 million
guest records were
compromised.
Vulnerability #1:
Basic Security Failings
Summary:
There was a lack of defense in
depth that allowed attackers to
stay in the system for years after
breaching it. For example, there
was a failure to keep encrypted
data and the keys used to
encrypt it separate. They needed
to assume they were
compromised and did not.
Vulnerability #3:
Hospitality Industry is a target
Summary:
The Hospitality Industry as a
whole deals with information
and data for people all over the
world. Companies like Marriott
have to realize that they have a
target on their back and take the
proper cybersecurity
precautions. Education and
other preventive measures need
to be made.
Vulnerability #2
The merger between Marriott and
Starwood
Summary:
After the merger, Starwood's IT
staff was fired and there was a
long period during which
Starwood's legacy systems were
maintained in limbo. Marriott
failed to do due diligence on
Starwood's IT infrastructure and
failed to integrate a new system
within Starwood immediately.
Vulnerability #4:
In-House security
Summary:
Marriott International is a
world-wide billion dollar
corporation. Yet they failed to
realize hat Starwood was
already infected. Once they did,
they brought in third-party
forensic investigators on to
help. The company should have
top of the line IT security with
employees at the ready.

Costs
• As of March 2019, the company had incurred $28
million in expenses related to breach.
• The U.K.’s ICO initially fined Marriott £99 million
($123 million), but by late 2020, reduced it to
dropping it to £14.4 million (~$23.8 million).
• Marriott is facing a class action lawsuit (led by
Martin Bryant) which could cost it £1.75bn
• Compensation is still unresolved and Marriott
breach will result in the cost of millions of dollars --
if not more than $1 billion in the years to come
including the IT and legal fees involved
• .
Prevention
• Proper education of all employees to be aware of
phishing e-mails and other cyber-security threats
the company may face.
• Have enough trained cyber-security employees in
place along with current safety protocols.
• A thorough auditing of the Starwood IT systems
should have been conducted immediately after the
acquisition.
• The Marriott systems should have been integrated
in the Starwood hotels immediately after the merger
was completed.
Audits for all systems for the entire company need
•
to be conducted on a regular basis.
• Multifactor authentication (multiple methods of
authentication) should be implemented for all
employees and guests of Marriott hotels..