MARRIOTT DATABASE BREACH
Serious problems for Starwood
Marriott International said today that up to 500 million guests’ information may have been accessed as part of a data breach of its Starwood guest reservation database. The world’s largest hotel chain said it determined on Nov. 19 that an “unauthorized party” had accessed the database as early as 2014. For about 327 million of the guests, it added, the information includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Brands that may have been affected include Ritz-Carlton, J W Marriott, the Autograph Collection, EDITION and more than a dozen others.
Commenting on this, Adam Brown, manager of security solutions at Synopsys said:
“The world’s largest hotel chain may have just reported the worlds largest hotel guest data breach and the world’s second largest data breach.
In line with protocol, the breach has been reported to the Information Commissioners office – this would need to have been no later than 72 hours after their data protection officer was aware of the breach being real. Of the half a billion data subjects that have been breached, many will be EU citizens which is why the ICO has been alerted under GDPR rules. Of the 327 million for whom personal data has been leaked, that data is stated as encrypted. However, this isn’t offering any protection since the means to decrypt have also been obtained. This could either be due to unsafe key storage or use of inappropriate encryption mechanisms.
To avoid such breaches going undetected firms should implement sufficient logging and monitoring of their data as per OWASP’s new #10 of the OWASP Top 10. To avoid such breaches in the first place firms should implement a software security initiative, a good observation of what mature firms do in this regard can be seen in the freely published BSIMM study – now in its 10th year: www.bsimm.com”