Marriott just had its second major breach in just over a year. They discovered it about a month ago. This shows just how easy it is for hackers to get into an organization. The fact that such a large and well-funded company can get hacked so frequently shows that corporations are not taking the risk seriously enough.

Although there is no way to be 100% secure, there are ways to drastically minimize risk. First, more on what happened.

Marriott reported that two accounts were compromised giving hackers potentially access to more than 5.2 million hotel guest records. The challenging part for Marriott is these customers were the ones using the company’s loyalty app.

In theory, the most loyal customers were the ones affected.

According to Marriott, the following information was involved:

1. Contact Details (e.g., name, mailing address, email address, and phone number)
2. Loyalty Account Information (e.g., account number and points balance, but not passwords)
3. Additional Personal Details (e.g., company, gender, and birthday day and month)
4. Partnerships and Affiliations (e.g., linked airline loyalty programs and numbers)
5. Preferences (e.g., stay/room preferences and language preference)

“Although our investigation is ongoing, we currently have no reason to believe that the information involved included Marriott Bonvoy account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers,” the company said in a statement.

Marriott is disabling passwords, providing personal information monitoring services for a year and prompting users to enable multi-factor authentication to further protect access to your account.

They are also notifying relevant authorities and are supporting their investigations.

Last July we reported that Marriott was hit with an EU GDPR fine of $130 million because they leaked 339 million records, five million passport numbers, eight million credit card numbers.

Marriott investigators found Mimikatz and a remote access trojan (RAT) on hacked Starwood IT system – this as a result of a database query which came from a database monitoring system called IBM Guardium which detected an anomaly on the Starwood guest reservation database a in September 2018.

"The Guardium alert was triggered by a query from an administrator's account to return the count of rows from a table in the database," Marriott International CEO Arne Sorenson said.

Such queries are considered dangerous because the software that runs on top of a database doesn't usually need to make them. This meant that a human operator was making this type of very specific query by hand.

The hack soon turned from "probably bad" to "bad" when investigators found that the hackers had been active on Starwood's IT network since July 2014, long before Marriott's acquisition. In other words, the company was not aware of the breach for four years!

In both cases, these breaches involved account compromise and the easiest way to hack an account is via phishing or sending an email or message to a user which is an imposter. Something that looks like it is coming from their bank or credit card company, etc.

When the user clicks on a link, they could download malware and they could also be entering a user name or password when they click. For example, if the phishing email comes from a bank and asks them to enter their user name and password.

Spear phishing is a more targeted way to get the target to click. Doing a bit of research on a user and then sending them a targeted message is how this is done. Hackers can also determine interest level based on where workers work or live. Sending what appears to be free Cowboys tickets in an email message to people working in Dallas is probably a solid strategy to get a high click rate.

Our experience is a generic phishing message can get a greater than 90% click rate. Our division PHISH360 has a solid track record in phishing simulation.

The reason companies perform such simulations is to train users. By not constantly testing workers, your organization is literally at the mercy of global hackers who ARE constantly sending messages. Training is not perfect, but it is inexpensive and prevents users from making a mistake which can cost a business their future. Eventually, the legal consequences, fines, loss of customers, etc. will sink a company. At a minimum, it will cause all of the above issues and cybersecurity rates to skyrocket.

We are not saying phishing simulation is all you need – cybersecurity is a holistic discipline. It requires technology and know-how. AI-based anomaly detection might have helped catch these breaches early. Obviously, systems need to be patched – firewalls and VPNs configured correctly, etc. Then there is partner software. Sometimes it can have holes in it which hackers are crafty enough to utilize to get into systems. British Airways received their $229 million GDPR fine the same week as Marriott due to web chat software which had a security hole.

Our company Apex Technology Services has a tremendous amount of experience dealing with cybersecurity issues such as these. We have global customers from the Fortune 200 insurance company all the way down to small medical and financial trading companies. Our broad experience has helped our customers stay as secure as possible. There is no foolproof security of course but working with a dedicated team of motivated professionals is the most important part of staying secure. Staff turnover, low morale, poor management, etc., eventually leads to mistakes or at least overlooked issues. For example – forgetting to patch systems which is common to many organizations means companies are more at risk than they know. Many have been breached already and won’t realize it until they are about to make a bank transfer and a hacker impersonates someone and offers their account number – thus stealing the entire transfer.

It is never too early to take cybersecurity seriously. Contact us – we want to help keep you more secure.