Barely two years since suffering one of the biggest data breaches in the world, international hotel chain Marriott International has fallen victim to another data breach. According to a release from the hotel chain, the breach occurred earlier this year and has affected the personal details of 5.2 million guests. Compromised information included contact details, birth dates, as well as customer loyalty programs and guest preferences.
The information was believed to be accessed using the login credentials of two employees at a franchise property. The activity was believed to be started somewhere in mid-January 2020. Upon discovery, Marriot International confirmed that the login credentials were disabled, and immediately began an investigation, implemented heightened monitoring, and arranged resources to inform and assist guests. Internal and external security teams have been reported working hard to investigate the incident, implement additional security measures, and address what was found.
To guard against the information involved being used for phishing or social engineering attempts or attempts to access and use the points in Marriott Bonvoy accounts, users have been advised to take a number of precautionary steps including resetting their passwords and be vigilant towards phishing emails.
According to Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group, this data breach at Marriott International highlights the importance of performing a detailed threat model on business operations and then implementing appropriate monitoring controls to ensure that threat vectors can be quickly identified. In this case, the attack vector was via compromised employee credentials. Those credentials provided access to guest services within individual properties under the Marriott brand.
He added that since employees often have access to sensitive customer data, creating appropriate alerts to detect credential misuse is particularly difficult. Examples of behaviours to look out for include: time of day (i.e. is the employee clocked in), scope of access (i.e. is the accessed data outside of their normal role), and volume of data (i.e. is the access consistent with how an employee would access data to address customer requirements).
Implementing such controls requires organisations to look not only at the application security and how it is deployed, but the intended usage patterns incorporating human factors data.