Cybr Lesson #1: Mistakes Made & Lessons Learned the EASY Way!
I love quotes! I mean… really love them. In just one or two lines I can get or give the inspiration or motivation I need to succeed…or to help others re-align their state of mind!
We returned to school online at our house for the first semester, and it’s been nothing less than a beating for me and my daughter. In fact, most parents, kids and teachers who went back-to-school remotely are in the same boat right now. It’s been painful!
Everyone is making mistakes, missing deadlines, unable to figure things out, unable to access systems and and attend meetings due to technology failures. My kids are feeling dumber by the day…and I was looking for quotes to remind them that they are not alone, that making mistakes is how we learn, that this is uncharted territory for them, etc.
That’s when I ran across this one!
It may not apply to them at this moment, but I had to share it with them. And I wanted to share it with YOU, because these are words to live by. Yes, we’ll all make mistakes, and that’s okay – as long as we learn from them. Mistakes are nothing more than life’s lessons learned the hard way!
But, I have ALWAYS been a big fan of “learning from the mistakes of others” whenever possible! Running across this quote inspired me to write a series of cybersecurity “Lessons Learned” posts.
I wanted to find and share cybersecurity mistakes, breaches and incidents that would help people learn from the mistakes of others. Here’s lesson #1, courtesy of Marriott International, Q1 2020 data breach! Let’s take a peak and see what we can learn from their mistakes.
Marriott’s Credential-Based Breach
What Happened & How?
Hackers obtained the credentials of two employees at a Marriott property. They extracted data from the loyalty system for about a month before being discovered. It’s not known how hackers obtained employee credentials, but they think it was obtained via credential stuffing or phishing.
Marriott notified affected guests in March 2020. Data belonging to 5.2 million guests was accessed using the login credentials of two franchise employees. The data collected by the attackers included:
- contact details (e.g., name, mailing address, email address, and phone number)
- loyalty account information (e.g., account number and points balance, but not passwords)
- additional personal details (e.g., company, gender, and birthday day and month)
- partnerships and affiliations (e.g., linked airline loyalty programs and numbers)
- preferences (e.g., stay/room preferences and language preference)
So, what was the impact to their business? Costs can come in many forms.
On average, data breaches costs ~$4 million dollars – unless your business is fined of course – then it can be substantially more. On top of this, there are various non-financial factors that can cost a business in this kind of situation, like bad press, employee and consumer trust, brand damage, etc.
The cost of “not knowing”! On average, companies take about 197 days to identify and 69 days to contain a breach according to IBM, typically costing businesses millions of dollars. Per IBM, companies that contain a breach in less than 30 days save more than $1 million in comparison to those who take longer.
The cost of “customer notification”! The cost alone of notifying customers about a hack averages about $740,000 in the United States.
The cost of “associated monetary fines”! Companies also face major fines if they take too long to disclose the breach, which puts them at risk of lawsuits from consumers and other agencies. Marriott was fined $123 million by the UK authorities for a previous data breach in 2018 that included 327 million pieces of personal customer information.
I’m not sure exactly what the total financial impact was of this latest breach, but I’m sure it was noteworthy. Their post-breach remediation efforts included the following:
- They provided an online portal for customers to submit their personal information to determine if their data was breached.
- Marriott changed account passwords to protect customers, so consumers had to reset those.
- They enabled two-factor authentication to protect consumer details.
- For affected US residents, Marriott will pay for a year of identity monitoring from IdentityWorks.
Lessons learned the hard way by Marriott
Per Kelly White, CEO of RiskRecon, the Marriott breach reflects a lack of doing the basics well. He specifically calls out the lack of multi-factor authentication for employees attempting to access sensitive data. It should require more than just a password to get into that system.
He also mentioned the need for improved user account activity monitoring via their IAM system to monitor suspicious behavior. A franchise account looking up 5.2 million customer accounts should have definitely “alerted” the Marriott IT Team, so they could have investigated that anomaly immediately.
Per Mr. White, either preventive measure could have significantly decreased the scope of the breach or prevented it entirely by making it harder for them to steal credentials and gain access.
Another analysis of the event points out that because “employer affiliations were exposed”, experts expect to see increased attacks against the businesses whose employees’ had their data stolen. Having access to the stolen data types provides insight into travel patterns that can be exploited by attackers at a later date.
We need to remember that stolen data gets recirculated! This makes future data breaches at other companies more likely! This really drives home the importance of securing our weakest links when it comes to protecting company, customer and community data…humans. You need to do more to control what data gets accessed, by whom, when, why and how!
On A Positive Note
Marriott’s security team minimised the attacker’s time in their system to about a month.
As soon as the breach was discovered, the company disabled login credentials and began an investigation immediately, implemented an improved monitoring solution, and arranged resources to inform and assist guests. Marriott also notified relevant authorities and is supporting their investigations.
It’s also worth noting that both Marriott attacks were indirect in nature. The latest attack began with a franchisee, while the 2018 breach was against the reservation database of another hotel chain they acquired in 2016. Per Mark Sangster, vice president of security firm eSentire, “Supply chain is one of the greatest vulnerabilities for companies like Marriott”, demonstrating the need for companies to “secure not only their business but that of their partners, contractors, and franchisees.”
Remember, it’s better to learn from other people’s mistakes when possible!
A reader suggested that we also mention this article, which explains how a hotel reservation platform leaked the records of millions of people through an exposed S3 bucket: https://www.websiteplanet.com/blog/prestige-soft-breach-report/. Check it out for more information!