Gunnar Assmy - Fotolia

Marriott data breach exposed 5 million unencrypted passport numbers

Marriott's data breach affected fewer customers than the hotel giant originally estimated, but the breach exposed millions of unencrypted passport numbers.

More than 5 million unencrypted passport numbers were stolen as part of the Marriott data breach last year, according to an update from the hotel giant.

The information accessed in the breach, which was disclosed on Nov. 30, also includes approximately 20.3 million encrypted passport numbers, the Bethesda, Md., hotel chain revealed in an online statement on Friday.

Approximately 8.6 million encrypted payment cards, 354,000 of which were unexpired as of September 2018, were also exposed in the Marriott data breach, the company said. Marriott added there is no evidence the threat actors accessed the master encryption key needed to decrypt the encrypted passport and payment card numbers.

Marriott also revealed that fewer guests were affected than the previously estimated number of 500 million. Following the work of a "forensics and analytics investigation team," Marriott has identified "information for fewer than 383 million unique guests was involved" in the incident.

With it becoming much easier in the last several years to encrypt information at rest, it's difficult to "excuse in this day and age that someone isn't encrypting all sensitive data in their databases," said Bryce Austin, CEO of TCE Strategy in Lakeville, Minn.

Bryce Austin, CEO at TCE StrategyBryce Austin

Marriott's initial breach disclosure noted that threat actors had access to the Starwood network since 2014 -- Marriott acquired Starwood in 2016. Austin said he believes people affected by the Marriott data breach should assume that even the data that was encrypted was compromised.

"If someone has been in your system for four years, they have lots and lots of information, including your encryption certificates," he said. "We should make the assumption that they were able to decrypt everything."

Stolen passport numbers can be used for identity theft and to commit fraud, Austin said. Having access to information like someone's passport and credit card number and the itinerary of where they tend to travel makes it much easier to impersonate the victim, he said.

Accessing the master encryption key

Sumit Agarwal, co-founder and COO at Shape SecuritySumit Agarwal

Given the scale and breadth of the Marriott data breach, Sumit Agarwal, co-founder and COO at Shape Security, based in Mountain View, Calif., said it's likely the hackers did gain access to the master key.

"At this point, many experts believe that a foreign intelligence agency was behind this hack, which makes it very likely that the passport numbers were a key target and more desired," Agarwal said.

The difficulty for a hacker gaining access to a master encryption key depends on how the organization has chosen to configure, control, monitor and manage access to the key, ISACA's Raef Meeuwisse said in an email interview.

[It's difficult to] excuse in this day and age that someone isn't encrypting all sensitive data in their databases.
Bryce AustinCEO at TCE Strategy

If the key is held in a security-hardened environment designed to manage cryptographic keys, where access to keys is monitored and limited to those individuals who absolutely require it, it should be hard to gain unauthorized access, Meeuwisse said. "But a failure to have a cryptographic key management system can leave the key vulnerable to unauthorized access."

"Most significantly, any basic due diligence review of the Starwood cybersecurity in place should easily have identified the gaps and risks present," Meeuwisse said. "I advocate that every security function should have an annual independent review -- but when it comes to acquisitions, those reviews are even more important. In my experience, the more resistant a potential acquisition is to an independent security review, the more significant the existing security deficits are likely to be."

Data retention, protection best practices

Raef Meeuwisse, ISACARaef Meeuwisse

In the case of the Marriott data breach, the decision to store, but not encrypt, certain personal data is likely to increase the organization's exposure to larger regulatory financial penalties, Meeuwisse said.

It's a good data retention practice to only retain personal information for the minimum amount of time necessary, he said, and to ensure that all personal data is encrypted as standard.

"This should be enforced by regularly auditing the systems used to store personal information to ensure compliance and by making sure any security gaps or failures to encrypt are addressed," Meeuwisse said.

The problem for many organizations, he said, is they underestimate the cyberthreat levels, underinvest in achieving appropriate levels of cybersecurity, and the security investments they do make are often added to technologies and digital landscapes as an afterthought. Many organizations also fail to provide their security functions with the power and authority they need to get the job done, he added.

TCE Strategy's Austin advised businesses to invest in SIEM products, which can aggregate an organizations log files as well as other data and alert security teams to anomalies and potential malicious activity on the network.

Dig Deeper on Data security and privacy