This report covers the details of a cyber attack that was directed toward Marriott International a U.S. based hospitality company. The headquarters for Marriott International is located in Bethesda, Maryland, U.S. Marriott International controls several subsidiary hotel chains such as Marriot Hotels & Resorts, The Ritz-Carlton Hotel Company, Le Meridien, Sheraton Hotels and Resorts and Starwood Hotels. The attack was directed toward the reservation software used in the Starwood Hotel chain. Starwood was recently acquired by Marriott International in 2016 and had a history of cybersecurity incidents prior to the merger.
The breach initially took place in 2014 after cyber criminals installed a remote access trojan (RAT) into the reservation system of Starwood Hotels located in Stamford Connecticut. This infiltration allowed the hackers to steal sensitive information about Starwood’s customers who had previously used the reservation system. This information included personally identifiable information such as home addresses, passport details and financial account information. Marriott did not discover the breach until two full years after the acquisition of Starwood Hotels. Because Marriott did not conduct the proper due diligence and cybersecurity practices they were responsible for the damaged incurred from the attack.
Marriott International confirmed that the breach had negatively affected around 500 million customers across multiple countries. Marriott paid a heavy price for allowing this breach to go unnoticed for as long as it did. The recovery costs to replace and repair the infiltrated reservation system and other updates costed the company around $30 million. During this process Marriott conducted a complete overhaul of their cybersecurity department. The company added additional members to the security operations center (SOC) and implemented new standards and practices to prevent cybersecurity incidents in the future. The details on this are vague but it involved increased monitoring and better systems for reporting and responding to incidents.
Additionally, Marriott was hit with several legal fees associated with the breach. This included a fee of $120 million for violating GDPR regulations in the United Kingdom. The company was also underside from multiple lawsuits in the United States totaling almost $13 billion for damages caused by the breach. At this time it is unknown if Marriott has paid this grand sum since the details are shrouded from public view. However, it is clear that Marriott International incurred a massive economic setback from this breach just from fees. This does not include damages the company’s reputation and stock price which have undoubtedly suffered from the incident.
At this time it appears that the cybersecurity incident has been completely resolved. After the event a thorough cybersecurity audit and overhaul was conducted to remedy the attack. The initial breach was able to take place due to severely inadequate cybersecurity practices. Starwood Hotels allowed numerous vulnerabilities to persist for years such as using old versions of Windows software, open ports such as remote desktop and a lack of cybersecurity audits. Marriott International sealed their fate when they failed to conduct an extensive cybersecurity audit after acquiring the company. This entire incident would have likely been much less severe had both parties taken cybersecurity more seriously.
The hackers responsible for the attack against Starwood Hotels and Marriott International are still unknown but their techniques have been discovered through various forensic investigations. The initial breach of the Starwood Hotel chain likely began from a phishing attack delivered to an employee of the company through email. This initial access allowed the hackers move laterally through the network escalate their privileges and install a RAT on the the Starwood system. In addition to the trojan found on the servers investigators also found the infamous hacking tool known as Mimikatz. This tool allows hackers to automatically steal credentials from a Microsoft system that has been infected. Mimikatz uses numerous methods to decrypt passwords and conduct a memory dump of the data.
The sensitive data found on Starwood’s servers was in fact decrypted but the hackers were able to use their tools to discover the decryption keys and gain access to the data over time. This event took place before Marriott acquired the company which allowed the hackers to hide in the background stealing customer data for an entire two years before the breach was discovered in 2018. It is clear that both companies are to blame due to their inadequate cybersecurity culture, security controls and routine practices.
The group responsible for the attack is still unknown however U.S. government officials have stated that Chinese hackers associated with the Ministry of State Security may be responsible. Because of this the U.S. government has began their own investigation into the incident but details have not been released. Although details have not been released as to why this assessment was made it was stated that the tactics, techniques and procedures used were characteristic of Chinese threat actors. The purpose of the attack beyond financial gain may have been gain access to a rich supply of sensitive data on government officials and key decision makers for the purpose of espionage, blackmail and information warfare.