<Article was first published here>

Cybersecurity Due Diligence: Inherited Risk

One of the world’s largest hotel chains, Marriott International, recently reported that its Starwood Guest Reservation database was breached – meaning names, mailing addresses, phone numbers, email addresses, passport details and a variety of other personally identifiable information (PII) were leaked, all the way through to member credit card details.

We always say it is not a matter of “if you will be breached,” but a matter of “when.” As always, it is better to have the mindset of “assume breach” when managing cybersecurity for an organization.  Some in the media have already jumped to many conclusions for this incident, and are questioning why it took so long to detect this breach, and have commented that Marriott should have done a better job with privacy by design, security awareness training, etc. However, cyberattacks often are a result of a variety of bad practices cascading on top of each other to exacerbate the situation, and with good enough skill, the attacker can often remain dormant within the network without being detected. My comments here will not go into the various areas of the cyber kill chain, but will look at this situation from a different angle, highlighting the importance of looking at the possible root cause of breach, where it may have all started with “inherited risk.”

Details of the exact events which led to the breach may never be made public, but a lot of the speculation has centered on whether this was a state-sponsored attack, or if a hacker got in to steal all the credit card details to sell on the dark web, etc. Given the reports that access to the data may have started as far back as 2014, we should go back to the basics and see what key significant business changes occurred between 2014 and today, which may have set the foundation for the breach to occur.

In September 2016, Marriott announced that it would acquire Starwood Hotels & Resorts Worldwide for US $13 billion, and that the Starwood loyalty program would be a “central, strategic rationale for the transaction,” according to Marriott CEO Arne Sorenson. Since the announcement came in 2016, it would not be out of the question to assume that the planning, testing and integration of the membership database and systems would have started several years before the announcement – placing this at or around the 2014 date when it has been stated the breach began. The first thought to come to mind would be to assess whether or not a detailed cybersecurity and privacy risk assessment was done prior to Marriott’s acquisition of Starwood. “Eighty percent of global dealmakers said they’ve uncovered data security issues in at least one-fourth of their M&A targets,” as highlighted in a PwC report, and if a detailed assessment was not done, they cannot ignore that they may have inherited the security risk from Starwood and/or the integration of Starwood’s membership database. Further to this point, if a detailed cybersecurity assessment was done, were the issues identified remediated and corrected before the M&A took place?

In addition, integration of legacy systems can open up new attack surfaces which were not present in the original parent company and acquired company when they were operating separately – thus the importance of doing a pre and post risk assessment, which should include (but not be limited to) penetration tests and access control audits, to avoid the chances of excessive privileges and creeping privileges as a result of the take-over. These basic cybersecurity due diligence controls often are ignored, in the rush of meeting M&A deadlines, and more needs to be done to include cybersecurity audits and remediation processes.

Breaches are becoming more and more common in news headlines, with the recent Cathay Pacific breach reportedly resulting in the data of 9.4 million passengers being exposed. Cathay is still under investigation and may indeed face GDPR fines in the near future. However, Marriott could be the first post-GDPR case where the fines are going to be significant, due to the sheer number of people affected, and the type of sensitive PII data that was leaked.

“We are working with partners to better understand the data breach affecting Marriott International and how it has affected customers,” the National Cyber Security Centre spokesperson said. “The NCSC website includes advice for people who think they have been affected by the data breach, including guidance on suspicious phone calls and targeted emails that can be sent after a data breach.”

Additional resources and guidance

  • National Cyber Security Centre advice for Marriott customers is available here.
  • Marriott has published information related to the breach here.
  • If a member of the public thinks he or she has been a victim of cyber crime or cyber-enabled fraud, use Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040.
  • Victims of cybercrime should be vigilant against suspicious phone calls or targeted emails. If you have been told that your personal details, such as your password, may have been accessed, you should ensure those details are not used on any other accounts.

Author’s note: Jason Lau is CISO at Crypto.com, and holds CISSP, CIPP/E, CIPM, CGEIT, CRISC, CISA, CISM, CEH, CDNA, CSM, ITIL and an IAPP Fellow of Information Privacy (FIP).