Marriott chief apologises before U.S. Senate Committee for massive data breach

Marriott chief apologises before U.S. Senate Committee for massive data breach

Major vulnerabilities found in Marriott, BA, and EasyJet domains

Arne Sorenson, the chief executive of Marriott International Inc, appeared before the U.S. Senate Permanent Subcommittee on Investigations on Thursday to apologize for the massive data breach of the Starwood guest reservation system that compromised approximately 383 million data records, including 8.6 million unique payment card numbers, 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.

On 30th November, Marriott International announced, to the horror of millions of its customers, that personal and financial information of up to 500 million people who made bookings at the chain's Starwood hotels were compromised after hackers gained unauthorised access to the Starwood guest reservation database on or before September 10, copied information stored in the database, and attempted to remove it.

The data breach impacted personal and financial information of millions of people who made bookings at Marriott International's Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.

In January, Marriott revised the number of customers affected by the breach, announcing that the breach had, in fact, compromised no more than 383 million data records as against the 500 million that it had initially predicted. While the hotel chain refused to quantify the lower number of records compromised by the incident, it said that there were multiple records for the same guest.

Compromised data records also included 8.6 million unique payment card numbers (encrypted), 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers. Earlier this month, Marriott revised the number of encrypted payment card numbers compromised during the incident to 9.1 million from 8.6 million, adding that approximately 385,000 of such cards were unexpired as of September 2018.

Marriott chief promises new measures to improve cyber security

On Thursday, Marriott International's chief executive Arne Sorenson appeared before the U.S. Senate Permanent Subcommittee on Investigations to apologize for the massive data breach, stating that the Starwood guest reservation system had been retired within a month after the breach was first announced and that the hotel chain would do everything requuired to ensure the protection of customers from cyber attacks in future.

"As of December 18, 2018, we are no longer using the Starwood Guest Reservation Database for business operations. In the time between the discovery of this incident and the retirement of the Starwood database, we took additional steps to secure the Starwood network, including malware removal, deployment of endpoint protection tools to approximately 70,000 devices that were originally on the Starwood network, rebuilding impacted hosts, and IP whitelisting to control access to the Starwood database.

"Beyond the steps taken to secure the Starwood network and the retirement of the Starwood Guest Reservation Database, we have accelerated our roll-out of endpoint protection tools to over 200,000 devices. Those tools allow real-time discovery of suspicious behavior on both the Starwood and Marriott networks and have next-generation anti-virus features.

"We are focused on identity access management, which means a broader deployment of two-factor authentication across our systems, as well as network segmentation, which means isolating the most valuable data so that it becomes more difficult for attackers to access the systems and for malware to spread through the environment," Sorenson said.

Copyright Lyonsdown Limited 2020

Top Articles

SITA data breach compromised data associated with multiple international airlines

SIT, has revealed it recently suffered a major cyber attack that compromised information belonging to customers of several airline companies.

COVID-19-forced work shifts prompting shifts in IT priorities

IT and security teams are changing their priorities to adjust with remote work to ensure productivity amidst COVID-19 related lockdowns.

Tips for building a cyber-security war room

Cyber security war rooms are essential but you need the right team of decision makers to be involved & you need to practice a variety of scenarios

Related Articles