Marriott Starwood Data Breach — A Cultural Problem

As a Starwood member, Marriott security breach is personal to me.

The intruder had access to their systems all the way from 2014 and they skimmed the sensitive data for 4 years in a row. It was not a sudden or one day attack.

More than 500 million customer’s data was stolen, it’s the combined population of USA, Canada and Mexico. The Marriott group lists the Personally Identifiable Information (PID) of affected customers in their website as follows

• Names
• Mailing address
• Phone number
• Email address
• Passport number
• Starwood Preferred Guest account information
• Date of birth
• Gender
• Arrival and departure information
• Reservation date
• Communication preferences

IT Data breaches not only impact one identity, it also puts people lives and reputation at risk, for example the details of a FBI agent who travels to a specific location frequently for classified work is exposed to a foreign agency. A rich married man who lied to his wife about his travel plans could be blackmailed for ransom.

Marriott breach happened due to ignorance and lack of accountability. It is evident that their Information Technology department has a notable cultural problem.

I did work for several Governmental agencies in the past. A sentence I hear often in the meetings is “Lawrence, its tax payer’s money.We must be careful about our spending”. They have that conscience built in them.

Hotels like Marriott serve the major population. The breach would have never happened if the Marriott’s IT department put the interests of its customers above everything else.

4 years of intrusion in a multi-billion dollar hotel is unacceptable.

Technology has become more complex. Systems and applications spread across multiple clouds, conventional data centers, vendor data centers, vendor cloud and client machines. The urge to adopt digital strategies, speed to market applications, usage of unverified packages inside the custom applications, lack of penetration tests and fear of failure are all factors behind today’s IT security violations.

Government Regulations are reactive. Fortune companies such as Marriott has a large cash cow to pay the penalty when violation occurs. 90% of small, medium violations are never reported.

At the end of the day, it hurts a human being. It hurts their identity, credit rating, violate their constitutional rights and the trust they had on the specific company.

There is no privacy in this century. Cloud Computing is spread across the globe and your information may sit in a distant country. We do travel globally. The foreign hotels take the copy of your passports when they register, swipe the credit card for check-in and have access to your travel itinerary. The call centers abroad have access to your tax, banking and other retirement financial benefits. It is possible for a call center agent to memorize the Personally Identifiable Data (PID) of a targeted customer. There is no need for them to take a screen shot, hold on to a USB drive or use a smart phone picture.

In Information Technology Projects, the plan about Security falls into physical architecture immediately. It is always about firewall, intrusion detection systems, hardening servers, encryption at the database etc. They often forget the security of Applications (Web Server, Application Server, Content Management Systems, Custom Applications and Other), SSH keys from abandoned laptops and contact information from an unused smart phone.

I thought about few points to address security practices in corporations.

IT Governance

An Enterprise Architecture based Governance process must be implemented to have a holistic security view of the Organization. It shouldn’t be a hidden process at least in certain layers of Management.

I was part of several security architecture discussions at various client places. The discussions become very technical and stake holders lose interest to listen. It should be avoided. An easily understandable campaign management should be built to educate all stake holders so they can support the Security Governance efforts.

Teams work hard to harden the servers, implement SSL certificates, VLAN’s, RSA Security for OS login but their production application server instance are left with default username/password. This vulnerability let an intruder to login into the Production Application Server to bring it down.

Many organizations have few Security Architects to show that they care for the customers. The two negligible things during Application Development are Performance and Security. Unless security responsibilities become part of every team in the Application release pipeline, the systems will become more vulnerable.

Chief Information Security Officer (CISO)

Most of the organizations make them report to the CIO which is not correct in my opinion. A CISO must report to the CEO of the company to have the right security control and budget.

Product Security

The knowledge about product security is not integrated. Generally, IT administrators have good knowledge and security experience with their managed product but that specific knowledge is not transferred to build a complete security pipeline. They practice siloed security model.

The Governance must ensure that conventional security architects get enough training and knowledge transfer about a specific product security features and the project plans must have those security implementations as tasks.

Security Exceptions

IMO, there shouldn’t be an exception for Security. I have seen around 80 security exceptions documents in an organization years ago for their Production applications. Once the application gets into Production after the security exception process, the specific issue is put away for a long time.

A Governance process for security exceptions should be implemented and the organization should appoint someone to monitor the resolution of exceptions within a specific time period. The push to release the applications in order to stay competitive is the prime reason behind security violations. Documenting the exceptions may save jobs but it does not save the general population who put their trust on your systems.

Legacy Systems

A legacy system is not always a Mainframe. Any application that is more than 5 years old with no upgrades can be considered as a legacy system. Intruders love legacy systems to enter the network because they exist for years without any auditing. Most of the legacy applications has a loop hole to invite an attacker to get the control of corporate network.

Cost plays a big role when it comes to upgrade the legacy systems. The stake holders must understand the risks behind keeping a legacy application and act accordingly.

Abandoned Objects

We often talk about Sprawling of Servers, Virtual Machines and Storage. More than 30% of running virtual machines are not used in a Cloud Computing environment and it opens doors for attackers.

Few configuration items such as NAT Gateway, Elastic IP’s, IP Gateway etc. in a lower Cloud environment become unusable after testing the application and there is no process to shut them down. The lack of coordination and check list to rollback changes creates security risks in an organization.

The massive growth of Cloud Configuration Items must be managed well to avoid an attack.

Trust

In the firewall movie, the criminal asked Harrison Ford to plugin to a maintenance terminal to steal the money in the data center. He responded saying “The bank that took us over had them removed. There’s nothing accessible from this room anymore. Not from this building. You’re in the wrong town.”

An intruder doesn’t need a physical connection to your network to steal the data. There are many simple and sophisticated ways are available. They earn your trust first then attack.

I came to know about a Desktop Engineer who planted a spy software in his Organization’s CEO laptop then was fired from the job when this was discovered. No one could suspect him going by his physical appearance which was very suave.

The intruder usually comes through the back door using your organization cultural issues and most of the time, we know who they are.

Continuous meetings, generating thousands of pages of Architecture documents, more Firewalls and Intrusion Detection Systems won’t help. The key to data security is accountability and respect for the customer data.

Jeff Weiner says

The five deadly sins of “big” companies: Lack of accountability, overspecialization/declining productivity, risk aversion/complacency, lack of context/clear communication and diluting the culture.

Marriott data breach is an accountability issue. The reckless behavior of their IT Management.

Lawrence Manickam is the Technical Founder of Kuberiter Inc, a Seattle based Start-up that provide Digital Transformation Cloud/DevOps services.

Please subscribe at www.kuberiter.com to try our DevOps SaaS Services.