It was just announced that Marriott will be fined $123 million by the UK for their 2018 data breach that exposed data on 339 million guests – or about $2.76 per guest. The UK’s Information Commissioner’s Office (ICO) said that Marriott, “failed to undertake sufficient due dilligence when it bought Starwood and should have done more to secure its systems.”. The fine is a direct result of failing to adhere to the GDPR (General Data Protection Regulation) which any business that stores data on citizens of an EU country.
The breach was caused by hackers gaining unauthorized access to a PC at Starwood, a company recently purchased by Marriott. Before Marriott could migrate the database contents to their own systems, Starwood’s own database had been compromised. Once the hackers got into the network, there were discoveries of queries being by an administrator account against the database. This let the IT team know that something was amiss. Upon deeper investigation, the individual who’s account made the query was compromised and investigators discovered a Remote Access Trojan (RAT) that allowed unfettered access to the computer. The investigators then discovered evidence that hackers had access for over 2 years to their systems without their knowledge.
Here is the crazy part – the only way they knew that customer data was stolen was by locating 2 compressed, encrypted files that were deleted from the device.
The team was able to restore the files, then decrypt them, and saw that the data within was an export of a table from the Starwood Guest Reservation Database containing guest data. The other file contained passport information for the guests.
In total there were:
- 383 million guest records
- 18.5 million encrypted passport numbers
- 5.25 million unencrypted passport numbers (663,000 were U.S.)
- 9.1 million encrypted payment card numbers
- 385,000 credit card numbers that were still valid at the time of the breach.
Here you can watch the entire Senate Testimony: https://www.hsgac.senate.gov/templates/watch.cfm?id=ED7AA8F1-5056-A066-6067-80CD2EC5A6C3