Article posted: Dec 20, 2018
By Anders Adolfsson, Technical Consultant
As many as 500 million guests of the Starwood Hotel chain may already be or soon will be cursing their choice of hotels. That's because they've received news in recent weeks their private information may have been hacked through Starwood's guest reservation database.
According to Starwood chain parent Marriott, the unauthorized user or users reportedly got away with information such as names, mail and email addresses, phone numbers, date of birth, gender, and even passport numbers. In some of the cases, the hacker accessed payment card numbers. The hotel chain says because payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), they are likely safe. However, while AES-128 requires two elements to decrypt the payment card numbers, Marriott has been unable to state with any certainty that both elements were not taken.
This story is interesting on many levels, but the one that caught my eye was that while the credit card data was encrypted, the keys were not secured. Nor were they securely managed. While it looks like the hotel chain didn't believe the keys had been retrieved, they simply were not certain. If the keys are properly managed, there is no possibility of them being exposed. That's why it is critically important to generate and store the keys on tamper-proof hardware, keep access audit logs, lifecycle management and traceability. This means understanding where the keys are located, where they have been, and how they were created.
It's the end of 2018. Let's make a resolution for the new year that no company should be playing fast and loose with customers' data. There should be zero trust. Having encryption procedures in place cannot work if one of the vital factors is accessible to hackers.
For its part, Marriott is trying to do the right thing. When the Marriott group first learned there'd been an attempt to access the guest database, they investigated the issue and discovered unauthorized access to the Starwood network had been going on for years - possibly four years. And the hacker had copied, encrypted and tried to remove the information. Once Marriott decrypted the content, it was clear the data had come from the Starwood guest reservation database.
The Starwood chain includes a variety of hotel brands, such as W Hotels, St. Regis, Sheraton, Westin, Le Méridien, Four Points by Sheraton and others, including Starwood-branded timeshare properties.
Now, Marriott is working with police to find the culprits. It is also phasing out the Starwood systems database, and is offering guests the opportunity to enroll in a monitoring service for free for a year to monitor for potential fraud. The company has a dedicated call center where customers may obtain additional information on whether their data was compromised and their options if the answer is yet. The company is also sending out email notifications to potentially impacted guests.
And, I have no doubt they will carry out their promise to "accelerate the ongoing security enhancements to our network." Step one: secure those keys!