In 2018, Marriott International discovered a breach in the systems of Starwood Hotels, which Marriott had acquired a couple of years prior. In total, around 339 million sets of customer records were impacted, some of which included passport numbers and credit card information.
What happened?
The attack began in 2014 when the attacker installed a web shell on a server in the Starwood network. The server hosted Accolade software, which was used to allow Starwood employees to make changes to the company’s website. The attacker then installed a remote access trojan (RAT) and gained administrator control of the system.
The attacker then installed Mimikatz, which harvested the usernames and passwords stored in system memory on the server. This gave the attacker access to a bunch of accounts, which it used to penetrate further into the network and run commands on the Starwood reservation database. From 2015 to 2016, the attacker then created a series of .dmp files, which may have been part of a plan to exfiltrate data from Starwood’s databases.
Amid the long and slow progression of this attack, Marriott discovered another intrusion into Starwood at the start of 2017. Marriott believes that a separate attacker installed malware that searched devices for payment card data. However, it didn’t succeed in collecting any data.
On the 7th of September, 2017, the original attacker performed a count on a database containing payment card data and exported it into another .dmp file, which set off a security alert. Accenture, Marriott’s security provider, contacted Marriott’s security team regarding the alert on the following day. By the 10th, the attacker had exported another database and Marriott had kicked off its incident response process.
In the following days, Marriott began deploying forensic tools and real-time monitoring on 70,000 devices on the Starwood network. Marriott discovered unauthorized activity that utilized the credentials of an Accenture employee. It also discovered a remote access trojan (RAT) and blocked the command-and-control IP addresses that the RAT used.
Marriott didn’t discover Mimikatz and the payment card data malware on its systems until the middle of October, but it held off on notifying the FBI until the 29th of October. In the middle of November, Marriott found and decrypted two databases of sensitive data that had been encrypted and then deleted by the attacker. The company then notified the UK Information Commissioner’s Office of the data breach, before finding more files that had been created by the attacker.
By the end of November, Marriott went public with the data breach and began notifying the affected individuals.
How much data was compromised?
All up, the attacker accessed personal data in both plaintext and ciphertext. The unencrypted information included personal data about hotel guests, such as their:
- Name
- Gender
- Date of birth
- Email address
- Phone number
- Travel details
- Passport number
- Credit card expiration date
On top of this, millions of encrypted passport numbers and encrypted payment card records were also compromised. All up, 5.25 million unencrypted passport numbers were accessed, as well as 18.5 million encrypted passport numbers and 9.1 million encrypted sets of payment card data. In total, Marriott estimates that 339 million sets of guest records were impacted in the breach.
That’s it for this week. Next week, we’re going to jump in and look at what went wrong with Marriott’s security. Stay tuned,
