Marriott International CEO Arne Sorenson told a US Senate committee hearing that the company had not been away of the scale of the data issues at Starwood Hotels & Resorts prior to buying it in 2016.
Sorenson said that the source of the breach remained unknown, addressing speculation that it had originated in China.
Sorenson told the Senate Permanent Subcommittee on Investigations: “As a company that prides itself on taking care of people, we recognise the gravity of this criminal attack on the Starwood guest reservation database and our responsibility for protecting data concerning our guests. To all of our guests, I sincerely apologise.”
When asked about past issues at Starwood Hotels & Resorts which may have been uncovered in due diligence, Sorenson said was aware of a smaller breach at property level, but not of any widespread irregularities in the company’s reservation system.
The CEO said that there had been evidence of an unauthorised party on the Starwood network since July 2014 but that it did not impact its guest reservations database and Marriott International’s investigators had found “no evidence the attacker had accessed guest data” until mid-November 2018.
Sorenson said that the company had first been alerted to an issue on 7th September last year, when an alert was delivered by a cybersecurity tool. Marriott was notified, as was a third-party party vendor that handled some technical aspects of the Starwood reservation system. It was on 19th November that Marriott International discovered that customer data had been stolen and, Sorenson said, accelerated the retirement of the Starwood reservations and operations systems.
The breach was publicly disclosed on 30th November, which, the CEO said, was an appropriate period of time following the confirmation of data theft. Under the GDPR regime in Europe, companies must inform regulators of breaches within 72 hours of becoming aware of them, with the threat of a fine of up to 4% of annual global revenue.
When asked whether he knew the source of the attack, the CEO said: “The short answer is we don’t know. We’ve simply been focused on making sure the door is closed. I feel quite inadequate about even drawing inferences from the data we’ve obtained……We have shared everything with the FBI including IP addresses used and malware used so they can do that kind of investigation.”
Sorenson said that, with respect to payment cards, the incident involved approximately 9.1 million
encrypted payment card numbers, of which approximately 385,000 were unexpired as of September 2018. He said: “Based on our current information, we believe that the information accessed by an unauthorised third party could include several thousand unencrypted payment card numbers. To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility.”
The CEO said that approximately 17,700 requests had been received through the website set up by Marriott International for guests wanting to know more about whether their information was involved.
Thus far, he said, Marriott International not received any substantiated claims of loss from fraud attributable to the incident.
An observer close to the situation, who declined to be named, told Hotel Analyst: “Starwood was a sieve. They knew it was a sieve, they had already disclosed two events prior to the acquisition. Going into the integration, there was a huge focus on how to triage and prevent issues like this, and I suspect it was priced into the initial deal but got forgotten in the competition to close the deal that ensued.
“Fundamentally, Marriott themselves – not the Starwood parts – are textbook in their approach to information security: they take no risks, do all the right things, tick all the right boxes. And do a really good job. But from an information security perspective they bought a lemon, and they know it. This breach has fingerprints going back years – and the reality is it’s probably only the controls Marriott introduced that brought it to the surface – if it was still under Starwood control they wouldn’t be aware of it.”
In November 2015 Starwood Hotels & Resorts disclosed that malware had been found on its point-of-sale systems at 54 North American hotels. The company said that the breach had not affected the guest reservation system or Starwood Preferred Guest.
HA Perspective [by Katherine Doggrell]: The things people will do to get out of attending the IHIF in Berlin. One assumed that Sorenson must have access to a significant amount of free branded pens, because it’s unlikely the US Senate is as open to grabbing fistfuls of biros as those manning the stands at IHIF. He’ll be missing out on some rubber duckys too.
Jetlag sidestepping aside, while Sorenson was missed onstage in Europe, the deal which was talk of IHIF a few years back was the talk of the Senate, with a couple of senators questioning how he could have failed to have a decent look under the hood at Starwood. Given that no-one has yet seen Donald Trump’s tax returns a touch of people in glass houses there, but they had a point. While there was an argument that what company doesn’t have some dark corners, the query was why past breaches hadn’t caused them to shut down the Starwood system in its entirety. No need, they thought.
So far, no harm appears to have been done, which appears to make being a hacker a massive waste of time. ‘Just because it’s there’ is an argument for mountain climbing, not breaking into guest reservation systems. Have some dignity, people.
This is, of course, good news. For Marriott, their recent results showed no impact on revpar, indicating that customers couldn’t give two figs either and long may it last. In the meantime the investigation continues and observers wait to see whether this really will be the first big test of GDPR.