Hotel and hospitality giant Marriott International once again finds itself facing questions over its cyber security practices and policies after another data breach – fortunately confined to a single property in the US – came to light.
First revealed on 5 July by DataBreaches, the breach saw a server at the BWI Airport Marriott, near Baltimore, Maryland, compromised and 20GB of data exfiltrated, allegedly including credit card details and other forms of proprietary information, and personally identifiable information (PII) on flight crews booked to stay at the property.
The threat actor responsible, referred to as The Group With No Name, contacted DataBreaches of its own accord and claimed to be a long-established group that has so far avoided much media coverage.
The group told DataBreaches that Marriott had “very poor” security and that it had had no problem extracting the data. It also said it was not a ransomware gang and did not encrypt any data, preferring instead to move straight to extortion. It also said it does not attack critical national infrastructure (CNI) or government bodies, although these claims are neither verified, nor should they be taken as the truth.
A Marriott spokesperson told Computer Weekly: “Marriott International is aware of a threat actor who used social engineering to trick one associate at a single Marriott hotel into providing access to the associate’s computer. The threat actor did not gain access to Marriott’s core network.
“Our investigation determined that the information accessed primarily contained non-sensitive internal business files regarding the operation of the property. The incident was contained to a short period of time.
“Marriott identified and was investigating the incident before the threat actor contacted the company in an extortion attempt, which Marriott did not pay.
“The company is preparing to notify 300-400 individuals regarding the incident. Marriott has also notified law enforcement and is supporting their investigation.”
Though quite evidently not as severe as the 2020 breach that saw the data of 5.2 million Marriott guests compromised, or the 2014 breach of its Starwood brand, revealed in 2018, which may have exposed more than 300 million records and resulted in a regulatory fine in the UK, Marriott’s cyber security team will once again face tough questions.
Dominic Trott, who heads UK strategy for Orange Cyberdefense, said the incident highlighted the need to guard against unwitting human error, which seems to have been the single point of failure in this instance.
“Teaching employees how to recognise phishing attempts and detect malicious activity will ultimately enable them to access the security resources needed to stop cyber criminals in their tracks, and carry out their own jobs safely and effectively,” he said.
“The need for defence-in-depth strategies that work to mitigate human error have never been more vital for businesses across all sectors, as the rise of flexi-working has resulted in work being a thing people do, rather than a place they go. Working in their own homes and other environments they are comfortable in can cause staff to lower their defences and become more susceptible to social engineering attacks, as suffered by Marriott.”
Mehmet Surmeli, principal incident response consultant at WithSecure (formerly F-Secure), said there were nevertheless encouraging signs in Marriott’s response that it was doing the right thing.
“Regardless of the implications to their business and context of why this incident has taken place, I am glad to see that Marriott hasn’t paid the ransom demand, and we should praise the company for not financing the threat actors and sponsoring further attacks,” said Surmeli. “I hope they can take the valuable lessons learned from this incident and improve their and others’ security by sharing this knowledge.
“Thanks to the research performed in the industry, we know that every ransom payment results in approximately another 100 campaigns, where more and more organisations are impacted and people’s data is being stolen.”