Friday 30 November 2018

Some Thoughts on the Starwood/Marriott Reservations Database Breach

Note: This post will _not_ be a happy one.

First: The announcement page: Starwood Guest Reservation Database Security Incident Marriott International

That page is garbage, rubbish, and so much more. It exemplifies today's epidemic of spin instead of truth and responsibility for an error that harms others.



"Marriott values our guests and understands the importance of protecting personal information."

That is a complete crock of male bovine excrement.

Especially when we look to the following:


"After receiving the internal security alert, we immediately engaged leading security experts to help us determine what occurred."

Okay, so just when did that security alert come in?


"On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database."

Cool, so things look like they got caught really quick right? That seems to be the way this article is written right?



"Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014."

Let's rephrase all of the above shall we:

Marriott: We let unauthorized access to our reservation database happen for FOUR YEARS.

Yeah, "We at Marriott/Starwood really care about your data/PII." Really. All said with a smile.


In our case, the CC used for our various stays has expired very recently. So, we should be protected that way. And, to further protect things we use KeePass with unique passwords for any and all online resources with unique e-mail addresses set up for each of them (we're doing this more and more).

Suffice it to say, if the Marriott really cared about risk to our PII (Personally Identifiable Information) the reservations system would have been segmented with designated access and no Internet access. We've been applying our knowledge of network setup to segment our client's networks for years. Especially with PCI scans being somewhat generic and different depending on what org is running the scans.

Oh, and note that credit card information was stored in there too. How in the world did that pass muster with PCI scans?


LMHYWT (Let me help you with that) " … two components needed to decrypt payment card numbers and Marriott not able to rule out both were taken."

Tis a sad day indeed when spin and lawyer speak win out over a true "Mea Culpa" we really *insert expletive here* up.

This Marriott incident is a gross breach of trust and it is time companies be held liable for such.

Philip Elder
Microsoft High Availability MVP
Co-Author: SBS 2008 Blueprint Book !
Our Web Site
Our Cloud Service

1 comment:

Balazs Engedi said...

And hotel people still always look very confused when I refuse to give them my credit card so they can type the details to whatever dodgy hotel system they are running.