Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Data breaches are occurring with increasing frequency at name-brand companies, and it’s certainly cause for concern. Millions of customers worldwide are typically harmed by these incidents, and more often than not sensitive identification and financial data is leaked.
Now the latest big data breach story is about Marriott, a very large international hotel chain. The breached data pertains to people who have stayed at Starwood Hotels and Resorts properties at least once between 2014 (no approximate date is given) and September 10th, 2018. If you didn’t stay at a Marriott branded hotel during this time period, there’s still reason for you to be concerned. The Starwood Hotels and Resorts chain includes the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection properties, Tribute Portfolio properties, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels. Interestingly enough, although the press release reporting the breach is under the Marriott International name, Marriott-specific data wasn’t involved in this breach because the Starwood and Marriott reservation databases are still separate.
The large number of international properties and brands is the result of ongoing corporate mergers over the past few decades. Most recently, the merger of Marriott International and Starwood was approved on September 23, 2016. I know that several of those hotels are in my hometown of Toronto, and they’re also in cities and larger towns all over the Americas, Europe, Asia, Africa, Oceania, and the Middle East. There are collectively thousands of properties in 130 countries. If you stayed at a nice hotel in the past few years, there’s a chance that this breach has impacted you.
Marriott International reported the breach in a press release on November 30th. It explains:
“Marriott values our guests and understands the importance of protecting personal information. We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. This notice explains what happened, measures we have taken, and some steps you can take in response.
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”
“Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other limited information.”
Wow. So at least a few hundred million people were affected. I hope more specific numbers come out as progress is made in the post-incident investigation.
I’m glad that Marriott International reported the breach less than a few months after they discovered it, that’s better than what many large corporations have done in response to their data breaches. I’m also glad that they seem to be providing as much information as they’re able to. And that’s about as many nice things as I have to say about this matter.
Here are my criticisms. They discovered the breach in early September. Inevitably many of the impacted customers are citizens and residents of European Union countries. The EU’s General Data Protection Regulation came into effect this past May, and the law applies to the data of those customers even if they were staying in a hotel outside of Europe. According to the GDPR, breaches must be reported within 72 hours of discovery. The time Marriott International took to report this breach probably violated the GDPR. Time will tell whether or not the corporation gets fined.
The data privacy laws elsewhere in the world typically aren’t as strict as the GDPR. I know Canada’s PIPEDA regulation doesn’t mandate a specific time frame for reporting breaches! But sometimes the GDPR helps data breach victims who aren’t from the EU. If a breach affects people all around the world as this Starwood breach does, the fact that some of the customers are from the EU means that breach victims worldwide benefit from the pressure to report within 72 hours.
Still, Marriott International took nearly three months after discovery to report this breach.
It seems like Marriott International fixed the cause of the breach on September 10th, a couple of days after discovery. But this breach goes all the way back to 2014. Marriott says that a security tool of some sort helped them to discover the breach. Was that tool just very recently implemented? Did Starwood’s network lack proper intrusion detection devices, logging, and SIEM until very recently? That possibility bothers me.
This breach not only affects customers who are Starwood Preferred Guest (SPG) program members, but also customers who aren’t SPG members. If you think you may be a victim of this breach, here’s what you can do.
If you have an SPG account, change its password as soon as you possibly can. Then watch your SPG account for suspicious activity. Whether or not you’re an SPG customer, look at your credit card statements if you used a card at any of these Starwood properties. If something looks amiss, call your bank or the credit card issuer as soon as possible. See if you have breached data via Have I Been Pwned. Just keep in mind that you may still be affected by the Marriott breach even if your accounts aren’t mentioned in the site’s database, and the site may mention your breached data from unrelated data breach incidents. When in doubt, it doesn’t hurt to change all of your passwords for everything! Perhaps make sure to use a reputable password manager so you can use lots of complex passwords without writing any of them down on paper.
Related ResourcesWebsite Malware Scanner
Tags: data breach,Hacking,Network Security,Web Security
Reading Time: 5 minutes These days, everyone is concerned about online security. Recent data breaches and ransomware attacks have demonstrated that hackers have the ability to cause immense damage and, in some cases, cause companies to shut down. So, every website owner must take the proper precautions and ensure that their website is secure. Here are a couple of…
Reading Time: 5 minutes There are many reasons behind why hackers target websites. Years ago, hackers did it out sheer vanity. To prove that they can hack websites, to boost their egos. But as technology improved, so have the reasons for hacking. In this blog, let’s try to understand why hackers target websites and how they can be protected…
Reading Time: 3 minutes The risk of cyber security threats in US companies remains a big concern as incidents of data breaches, malware infections, and other forms of cybercrime continue to escalate. In its September 2018 report, The Identity Theft Resource Center noted 932 confirmed breaches and nearly half of those breaches occurred in businesses. Meanwhile, AV-TEST, an independent…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP