Law360: Privacy Counsel Comments on Possible Follow-up Attacks Using Marriott Breach Info

Nov 30, 2018

Marriott International Inc. drew immediate regulatory and consumer backlash in the wake of its Friday disclosure of a data breach impacting up to 500 million guests at its Starwood properties, and the fallout is far from over, given that the hackers likely lifted a bevy of travel details that could be used to orchestrate further attacks, experts say.

The newly disclosed breach centers on the Starwood guest reservation database, which contains information such as mailing addresses, email addresses, payment card data, passport numbers, and arrival and departure dates for approximately 500 million guests who made reservations at W Hotels, Sheraton Hotels & Resorts or any other Starwood property. Marriott, which two years ago closed a $13.6 billion deal to scoop up the Starwood brands, said that an internal security tool alerted it of an attempt to access the database on Sept. 8, although further investigation revealed that the hackers have had access to the Starwood network since 2014.

The news prompted the U.K.’s data protection commissioner and attorneys general from several U.S. states, including Maryland, New York, Pennsylvania, Texas and Massachusetts, to confirm that they are planning to look into the incident, while longtime hotel patrons Harry Bell and Edward Claffy lodged a putative class action in Maryland federal court accusing Marriott of failing to take reasonable and appropriate measures to protect and secure guests’ personally identifiable information.

But while such legal fallout has become almost standard in the wake of high-profile consumer data breaches, including those that have hit companies such as Equifax, Facebook and Yahoo in recent years, the Marriott hack offers a different wrinkle due to the type of information that was contained in the compromised database, which is likely to provide value far beyond financial gain, attorneys say.

“This incident is about more than just stealing credit card information,” said Jesse Varsalone, associate professor of computer networks and cybersecurity at University of Maryland University College. “This has the extra component of involving a hotel reservation system, which contains a lot of personal travel information that when pieced together can prove to be very valuable.”

While it’s still unclear what information the hackers were targeting and what their motives may have been, experts agreed that nonfinancial information such as addresses, passport numbers and travel schedules can easily be repurposed or combined with other information already available on the black market to make it easier for criminals to take over someone’s identity for a range of nefarious purposes.

“Every little piece of information helps if a person is trying to impersonate someone or steal someone’s identity,” said Joshua Bevitz, partner at Newmeyer & Dillion LLP. “It may seem like innocuous information, but it’s just another arrow in their quiver when they’re trying to pose as you. And even if they can’t use it at that moment, they can put it into a database and correlate it with information from another hack, because once a piece of information is out there, it’s out there for good.”

For example, information such as home addresses and travel itineraries can help hackers crack security questions that enable access to a range of password-protected accounts, Bevitz said.

Hotels often hold a wide range of information about patrons who revisit their hotel, including a history of where they have lived and what destinations they have traveled to over the years, which gives hackers additional ammunition to crack common security questions and pose as a consumer, according to Bevitz.

Information in a guest reservation database — particularly one maintained by a high-end brand such as Starwood — is also likely to prove useful to those attempting to carry out increasingly prevalent spear phishing attacks, experts say. This method, which typically provides an easier point of access than direct strikes on a system, involves sending an email to a specific individual within an organization that appears to be legitimate but is actually from criminals attempting to steal confidential information.

“Dates of birth, travel details, those are the kinds of things that hospitality companies use to enhance the guest experience, but they can also be used by attackers to execute more personalized attacks and make communications seem more authentic,” said Paige Boshell, managing member at Privacy Counsel LLC.

Experts say that these types of social engineering attacks have been on the rise, and companies that have executives that frequently visit Starwood properties should be extra vigilant about monitoring such requests moving forward.

“If you think about why Starwood was so attractive to Marriott, it’s very high-end and has loyal guests that travel frequently, including senior executives and the other key people at an organization,” Boshell said. “So businesses that have very valuable proprietary or business information and have a senior executive visiting Starwood hotels in different countries need to be mindful that their patterns may be able to be tracked and used to target or impersonate senior executives later.”

Varsalone noted that Marriott properties are also frequently used by the federal government for travel purposes, meaning that the hackers may have been able to track the under-the-radar movements and activities of government officials since as far back as 2014.

“If the hackers can see that a person is at a certain Marriott at a certain conference, they can extrapolate who’s working for whom and can really get so much really interesting and valuable information about what they’re doing,” he said, adding that additional details about who someone may be staying with or what charges they’re racking up could also later be used for blackmail purposes.

While breaches in other industries, such as retail, banking and technology, have dominated the headlines in recent years, data security threats at hospitality companies are nothing new, attorneys noted.

“The hospitality industry has proven in recent years to be a data-rich, soft target for hackers,” said Phillips Nizer LLP technology practice group chair Thomas G. Jackson.

Hilton Hotels, Hyatt Hotels, Intercontinental Hotel Group, Wyndham Worldwide, Radisson Hotel Group, Millennium, Kimpton Hotels and Mandarin Oriental Hotel Group are among the hotel chains that have faced breaches in recent years, and Starwood disclosed a separate incident in 2015 in which debit and credit card information was stolen from its point-of-sale system.

However, the latest Starwood breach is “especially startling given not only the massive number of records stolen but also in terms of the level of detail of the data that may have been taken and the fact that for more than four years the activity went undetected,” Jackson said.

Experts say the latest Starwood breach provides a cautionary tale in data retention that companies across a wide range of industries could heed.

“Just the sheer magnitude of how many people were impacted is an indication of how much data is really being maintained by companies these days,” said Batya Forsyth, co-chair of the privacy, data security and information governance group at Hanson Bridgett LLP. “That’s why it’s so important for companies to be diligent about knowing what data they have, where it is, why they have it and who has access to it.”

Given that Marriott has said it believes that the hackers have been in Starwood’s systems since 2014, continuous monitoring of systems is also key “to see if activity is going on with prior breaches and not to just proactively prevent breaches going forward,” Bevitz said.

The Marriott incident also departs from other recent breaches in terms of what the hotel chain is offering to impacted guests, attorneys noted. While most companies provide free credit monitoring, Marriott is giving guests the opportunity to enroll for one year free of charge in WebWatcher, which monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of his or her personal information is found.

“The offer isn’t a traditional one, and it’s unclear whether it’s being made because the type of information stolen is much broader or if they have information about potential uses of that information that they can’t share yet,” Boshell said.

Given that companies often look to their competitors, the WebWatcher offer could set a new standard for the hospitality industry, especially in the wake of the enhanced pressure being put on companies to take data protection seriously in light of more stringent new laws such as the European Union’s General Data Protection Regulation, which took effect in May.

“With various recent data scandals and the enactment of the GDPR, we’re seeing such a heightened sensitivity to these issues by consumers that the obligations on companies, whether they’re self-imposed or not, are higher than they were 18 months ago,” Boshell said.

The breach reporting environment is also strikingly different — with the GDPR most notably setting a 72-hour window for companies to notify data protection authorities once they learn of an incident — and the Marriott disclosure shows hints of being crunched by that tighter deadline, attorneys say.

“There’s always a tension when giving a data breach notice about providing it quickly enough but also being informative” Boshell said. “What’s notable about Marriott’s notice is that they’re trying to be informative but it’s pretty clear they don’t have all the information yet, and we’re going to have to watch this evolve in real time.”

One question that will likely be raised in the coming weeks will be whether the hotel chain’s breach notification was timely enough.

Marriott has said that while its systems flagged suspicious activity at the beginning of September, it took the company until Nov. 19 to decrypt the stolen information and determine that the contents were from the Starwood guest reservation database.

Morgan & Morgan Complex Litigation Group attorney John Yanchunis, who is representing the plaintiffs who filed the proposed class action against Marriott on Friday, called the disclosure that the breach began in 2014 and went undetected for four years “shocking and horrifying,” and experts expect regulators in both the U.S. and EU to pose tough questions about the timeline that led to Friday’s announcement.

“A main issue is going to be why wasn’t this discovered earlier,” said Fox Rothschild LLP partner Scott Vernick. “Any time there’s a delay in the discovery of an incident, that’s going to enhance the litigation and regulatory environment and the potential for exposure.”

The hotel guests who filed suit Friday are represented by John A. Yanchunis, Ryan J. McGee and Jonathan B. Cohen of Morgan & Morgan Complex Litigation Group and William H. Murphy III and Jessica H. Meeder of Murphy Falcon & Murphy PA.

Counsel information for Marriott was not immediately available.

The case is Bell et al. v. Marriott International Inc., case number 8:18-cv-03684, in the U.S. District Court for the District of Maryland.

> View Original Article

Original article published by Law 360.

Certified Information Privacy Professional (CIPP): USCertified Information Privacy Professional (CIPP): EuropeCertified Information Privacy ManagerRecognized by Best LawyersAlabama State BarMartindale Hubbell AV Preeminent for Etical Standards and Legal AbilityAvvo RatedFellow of Information Privacy (FIP)Privacy Law Specialist (PLS)GDRP Ready