2018 Year in Review – Marriott Breach – Tips for protecting your Holiday
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE
2018 has been an incredible year for cybersecurity events, incidents and breaches. Throughout the year, I have urged the patching and updating of IT systems, the review of IT controls, and the importance of user education. I have written about the changes in the nature of vulnerabilities. Computer vulnerabilities are not just in software and applications. Now, they are found in hardware and firmware. The importance of scanning your IT systems for vulnerabilities and then fixing those problems cannot be overstressed. Oversight over the IT function, whether inhouse or outsourced, has been discussed. As the axiom states: You cannot outsource accountability. As we learned from the Target breach a few years ago: You are responsible for your vendor’s IT security. A good start to IT oversight is to run the vulnerability scans and have non-IT management review the reports. A technical understanding of each vulnerability is not necessary. If IT is doing their job, whether inhouse or out, the number of vulnerabilities found should consistently be going down. In my last article, I wrote about the importance of a Network Inventory. You cannot protect what you do not know is there. This ties into the latest large data breach to hit the news.
Last week Marriott Hotels revealed that their Starwood reservation database was hacked. Close to 500 million records were compromised. Different combinations of records were compromised including: names, mailing addresses, phone numbers, email addresses, passport numbers, SPG account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, payment card numbers and expiration dates. Everything needed and more to assume your identity. Marriott has not yet revealed how the threat agents gained access to the Starwood reservation system dating back to 2014. Everyone who made a Starwood reservation on or before September 18, 2018 is potentially at risk.
What are the lessons that we as business owners can learn from Marriott? First, a cyber risk assessment should be part of any merger and acquisition due diligence. Second, management needs to know what data is being collected, why that data is being collected, and what business use the data has. Just because you can do something, doesn’t mean you should. Customer and employee data should always have a valid business purpose. If not, purge the data. As a customer of Marriott, I am asking why they were keeping arrival and departure information, passport information, and my gender. Management needs to understand that they are responsible for all data collected, and the company is liable for all data lost.
As a consumer, what can you do to protect yourself? First, Marriott has created a website where people can educate themselves about the incident. One of the options they offer is to register a free account at WebWatcher. This is a service that will notify people if their data has been compromised or is being used by cybercriminals. Additionally, you should:
- Monitor Financial Accounts: Watch your credit card accounts carefully. Many credit card companies have a service where they notify you (via text or email) if a credit card charge is over a certain limit or can send you daily reports of your financial activity. I highly recommend that you enable at least one of these. You are looking to make sure there are no unauthorized transactions in the coming weeks.
- Marriott / Starwood Accounts. If you have an account on the Marriott/Starwood site, change your password. Even if your account has not been reported as compromised, play it safe and change your password.
- Security Freeze: One of the risks with so much compromised personal information is that cybercriminals can use that information for identity fraud. A Security Freeze is one of the most effective steps you can take to protect yourself. Unfortunately, few people know about it. A security freeze locks your credit score so no one has access. This means that while your credit score is frozen no bank or financial organization (such as a credit card company) can check what your credit score is, which means no one will give you (or a criminal pretending to be you) a loan or credit card. The challenge is that you must manually set up a security freeze with each of the four credit bureaus. In addition, if you want to get a new loan or credit card, you then have to manually unlock your credit service. Then again, how often do you apply for a new loan or credit card? Brian Krebs has an outstanding write-up of what a Security Freeze is and how to get one for free here.
- Social Engineering Attacks: In the coming days/weeks, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls or text messages trying to fool people. For example, Marriott will never ask you to provide your password by phone or email. For that matter, NO COMPANY WILL ASK FOR YOUR PASSWORD VIA PHONE OR EMAIL. Never give out your password.
If you do get hit with identity fraud, the FTC has created a very impressive site to help you recover.
Stay Cyber Safe and Happy Holidays! (And never give out your password!)
Ben Hunter, III CISO, Advisory Services Senior Manager, CPA/CITP, CFE, CISA, CRISC, CISM
Ben is the Chief Information Security Officer for BRC and is a Senior Manager in our firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit […]