Skip to main content


Dissecting the Marriott Data Breach Response

Dissecting the Marriott Data Breach Response

Another week goes by, and we have absolutely no shortage of breach-related news. This week’s top story focuses on one of the largest breaches we have seen today, impacting the Marriott-owned Starwood hotel chain. The hotel chain’s breach was reported to contain information on around 500 million guests who had booked a stay at any of their Starwood locations on or before September 10, 2018. The official Marriott announcement also stated, “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” While the announcement noted the encryption of stored guest credit card numbers, this sliver of hope was presented with little confidence, due to the possibility of associated encryption keys being compromised as well.


Marriott Responds

The initial Marriott breach notification also included their efforts to help protect their impacted guests. These efforts included a dedicated website (, a customer call center, and an email notification for guests who had their email compromised, as well as a one-year subscription to the monitoring software WebWatcher.


The Criticism

While Marriott’s breach notification was fairly standard, its response has been heavily criticized since its release, and for good reason. To start, Marriott directed guests to a website to inform them of the current situation, response, and frequently asked questions. Sound familiar? If it does, it may be because it is very similar to one of the more criticized response method failures Equifax utilized in its breach response process.

During the Equifax breach response, fake sites were created shortly after Equifax published its initial response website, duplicating the original but altering the domain name slightly. The most notable of which was created by a security professional to highlight the poor response process used by Equifax. In fact, Equifax themselves wound up confused and mistakenly directed users to the fake website “” rather than their legitimate website “” via Twitter multiple times.

Along these same lines, the email used to send Marriott’s breach notification concerned many security professionals. The email used, “”, while legitimate, does not appear to be trustworthy upon first glance. Which is an issue for users, as they should be suspicious of messages and websites looking to exploit the situation, which is a common hacker-technique for much of the largely publicized breaches, disasters, or other newsworthy events.

The shocking news here is that this risk is not being mitigated by Marriott, but rather by security professionals, like Troy Hunt, who are registering domains such as “” to prevent such domains from being used to exploit victims.

While the Equifax breach response was billed as the playbook for how not to respond to a breach, someone forgot to tell Marriott, because they seem to be following in Equifax’s highly-criticized footsteps too closely.


The Takeaways

There is a lot of information to take in here, and this can certainly be used as a learning experience as well as an opportunity to take action. Even if our confidential, private information was not breached this round, there is a good chance it has in the past or will be in the future. In situations like this, it is important for individuals to consider necessary steps to protect yourselves, and as businesses to consider what we can take away, learn, and improve from situations like this. Some core items to note:

  1. Take our lessons learned where we can get them. You do not have to wait for your own internal testing to talk about improvements to your incident response process, and we certainly do not have to wait until we get breached to improve our process. Take examples like the Marriott and Equifax breach to identify issues in your own process as well as improvements you can make to your own Incident Response Plan. A good Incident Response Plan is something everyone hopes they never have to use, but having a well-defined process can have a significant impact on the amount of reputational loss a business endures following an incident.
  2. Assume your data has already been compromised. With the number of breaches being publicly announced, you should assume your information is out there rather than crossing your fingers and hoping you’re not affected. Consider protecting yourself no matter if you were directly involved in this most recent breach from Marriott or not. Steps that can help you protect your credit and information include:
    1. Freeze your credit: Be sure to freeze your credit with all three of the major credit reporting agencies (Experian, Equifax, and TransUnion). The good news is that as of September 21, 2018, freezing and unfreezing your credit is free, due to a new federal law following the Equifax breach.
    2. Monitor your credit: If freezing your credit isn’t something that you are interested in doing, the very least you should be doing is monitoring your credit. If someone opens a new account in your name, the sooner you can respond, the less your impact is going to be. Fortunately, there are a number of reputable and free credit monitoring/alerting services that you can look into, including Credit Karma or Credit Sesame. But you don’t have to rely on our word; be sure to do some research on the pros and cons of such services before signing up.
    3. Have someone else monitor your information: If your information was involved in the Marriott breach, take them up on the one-year subscription to WebWatcher. Just note, your risk is not limited to one year, so once the subscription runs out, following up on monitoring your credit will once again become your responsibility. Your compromised information will put you at risk until that information is changed, so consider it permanently exposed. The good news is that with all these breaches, more and more businesses that offer full-service identity and credit monitoring services, such as IdentityForce, LifeLock, or Identity Guard, are popping up. These services not only monitor your credit, but help you recover your identity if anything malicious happens with your credit or personal information. These services are not free, however, so be sure to understand what you’re getting for the cost.
  3. Be wary of fake domains and phishing scams: As noted above, fake websites and phishing emails relating to breaches are very common in these types of scenarios. Make sure you are not putting yourself at risk by clicking on fake links or accessing fake websites. Remember, think before you click.
  4. Understand your defense: For the Marriott breach, it is assumed that hackers gained access to the Starwood network as far back as 2014. While this is an exceptionally long time for a hacker to have access to data without the business knowing, a study performed by Ponemon in 2017 showed the average time it took US companies to detect a breach was 206 days. Understanding how you would detect a breach on your network is going to be a huge step in improving your network defense. For more information covering Incident Response Preparedness, see our blog which covers 50+ Incident Preparedness Checklist Items.


Written by: Cole Ponto
Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

  • {Blog} 50+ Incident Response Checklist Items: The #1 question organizations need to ask themselves is “if someone was in our network, would we be able to tell?” An organization’s ability to answer that single, extremely important question makes all the difference between being able to respond and recover from an incident quickly (and cost-effectively) vs. being notified by a user, or worse yet, by a federal agency, that something is amiss. Be honest with your answer; most organizations are unable to say “yes” to this question, and it rightfully keeps many networking admins or information security professions awake at night. If you are uncertain how to go about detecting an incident on your network, you are certainly not alone. Here’s a primer to get you started.
  • {Service} Incident Response Planning: An SBS consultant can assure your well-structured Incident Response Plan (IRP) will help mitigate the negative effects of a security breach, as well as demonstrate to examiners that your organization is properly prepared to handle such an event.
  • {Blog} Threat Intelligence - What Does it Look Like?:  To stay on top of emerging threats you can invest in threat intelligence; this not only helps you stay aware of any new and emerging threats making their way across the internet, but also monitor potential threats targeting your business network. Developing a Threat Intelligence Plan that outlines how you plan to monitor new cyber threats and attacks can provide great benefit to your business, and it doesn’t have to be a huge undertaking. 
  • {Hacker Hour} Incident Response Round Table: Join SBS for this free webinar in which we will discuss best practices to write and test your incident response plan.  We will also walk through some common scenarios that should be considered in your plan.


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Incident Handler   Certified Banking Vulnerability Assessor

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, December 5, 2018
Categories: Blog, In the News