Endlessly banging on about the perils of cyber breaches, week on week as we are, whilst trying to tread the fine line between reasonable advice and recommendations and the Dark Side that is ‘Fear, Uncertainty and Doubt’, marketing is sometimes a tricky business.
But there are weeks, and then there are Weeks.
This week, Dell, Dunkin’ Donuts and, just today, Marriott have announced breaches or (in the case of Dell) ‘potential’ breaches.
The doughnut (<– see spelling) outfit has blamed the breach directly on the shoulders of third-party suppliers, specifically the (presumably burgeoning) DD Perks loyalty providers.
The hoteliers are pinning the breach on the Starwood hotel chain which it acquired and also ‘fessed up to the fact that unauthorised access to its systems may have been going on for over four years:
“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States,” said the firm in a statement issued this morning. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”
Around 327 million of those guest bookings included customers’ “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
For an unspecified number, encrypted card numbers and expiration dates were also included, though Marriott insisted there was AES-128 grade encryption on these details, saying: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
We can only assume that the ‘internal security tool’ was either a maligned employee, a ‘Slow Machine LearningTM‘ application or something shiny and new coming to the rescue.
At 500 Meeellion sets of credentials, this is probably the second biggest breach of all time after the Yahoo kerfuffle some years ago. Presumably the executives responsible can look forward to pay rises, share issues and monster pay offs as everyone who has stayed in one of these hotels gets the fear and wonders what to do. Presumably fines will be levied which will no doubt be comparable to a hiccup in a thunderstorm (yes, yes) and the world will move on until the next time.
Now far be it for us to presume, but it is plain to see that retail outfits, specifically with POS system, (perhaps) loyalty schemes and a network that is out of control (plumbing again, pesky), are being busted over and over. The reasons are very clear.
On the one hand loyalty scheme fraud is worth so much more to the organised criminal gangs than you could possibly imagine. This is the reason that ITC has been running a loyalty card forum, attended (and chaired) by some of the largest operators in this space for the last 4 years. This is not a sales or marketing event whatsoever, just a forum to bring long-suffering security folk together under The Chatham House Rule to share experiences, intelligence and more. If you would like to be involved, please contact us.
On the other hand (or tentacle), identity and credit theft is already a huge problem and criminals with this much personal data are going to make hay. It would be very wise to keep an eye on announcements from Marriott. Changing credit cards is easy, passports more of a pain, but at least if you live in the UK and wait six months, you will get a lovely blue one, which will of course be printed in France (just need to take a moment to calm down before a gasket is blown).
On a slightly less depressing theme, we are very proud to be part of The Managed Security Forum organised by our associates at prevalent.ai. Make no mistake about it, the people who run this are very, very wise, very experienced and always worth consulting. They have just produced a ‘Buyers Guide To Managed Security’, which will almost certainly be worth a read. In the interests of fair play, we haven’t read it yet so have no idea if we get the thumbs up, or more worryingly from this crew, a thumb down. Do take a look.
If you want to talk to us about best practice in a retail environment, third party risk management or anything Cyber related, please contact us at: [email protected] or 020 7517 3900.
Didn’t work out for the Aussies did it? Have a great weekend.