Marriott CEO shares post-mortem on last year's hack

Marriott investigators found Mimikatz and a remote access trojan (RAT) on hacked Starwood IT system.
Written by Catalin Cimpanu, Contributor

Marriott International CEO Arne Sorenson testified in front of a US Senate subcommittee yesterday, revealing new details about a security breach the hotel chain disclosed last year.

Speaking in front of the Senate Committee on Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations, Sorenson apologized to the company's customers but also shot down rumors that China was behind the hack.

According to a prepared statement for his testimony, Sorenson said that the first time when Marriott learned that something might be wrong was on September 8, last year, when they were contacted by Accenture, the IT company that was managing the Starwood guest reservation database.

Marriott had previously acquired the Starwood hotels chain in September 2016 and was working on a plan to migrate its customers to its own guest reservation system, but at that time, the Starwood system was still separate from the rest of the Marriott network.

But on September 8, Accenture told Marriott's IT staff that one of their security products, a database monitoring system called IBM Guardium, had detected an anomaly on the Starwood guest reservation database a day earlier, on September 7.

"The Guardium alert was triggered by a query from an administrator's account to return the count of rows from a table in the database," Sorenson said.

Such queries are considered dangerous because the software that runs on top of a database doesn't usually need to make them. This meant that a human operator was making this type of very specific query by hand.

"As part of our investigation into the alert, we learned that the individual whose credentials were used had not actually made the query," Sorenson said.

At that point, the Marriott staff realized they were dealing with a probable breach, although they didn't know if it was something big or just the beginning of a hack that could be very easily contained before the attackers accessed any user data.

The company said it brought in third-party forensic investigators on September 10, to help its IT staff look into a possible breach. The forensic firm's rummaging uncovered malware on the Starwood IT systems less than a week later.

"The investigators uncovered a Remote Access Trojan ('RAT'), a form of malware that allows an attacker to covertly access, surveil, and even gain control over a computer. I was notified of the ongoing investigation that day, and our Board was notified the following day," the CEO said.

Uncovering the full scope of the attack took significant forensic work, the CEO said. However, despite the RAT's presence on the Starwood IT system, at that point, there was no evidence that unauthorized parties had accessed customer data located in Starwood's guest reservation database.

But the investigation didn't stop. By the next month, in October, the forensic firm also found Mimikatz, a penetration-testing tool used by both security researchers and hackers alike that searches a device's memory for usernames and passwords. The tool was most likely used to help hackers acquire passwords for other Starwood systems and help them move to other parts of the IT network.

Yet again, investigators didn't find evidence that hackers had accessed customer data.

The hack turned from "probably bad" to "bad" the next month, in November, when investigators found that the hackers had been active on Starwood's IT network since July 2014, long before Marriott's acquisition.

This meant that hackers had operated more than two years without getting detected, and made the entire investigation much harder, as the forensic firm now had to dig through years of logs.

Yet again, there was still no evidence of hackers accessing customer data.

But the inevitable eventually happened, and it happened in mid-November. The excerpt from Sorenson's prepared statement on how and when they realized that hackers had stolen Starwood customer data is below:

On November 13, our investigators discovered evidence that two compressed, encrypted files had been deleted from a device that they were examining. The files were encrypted and the actual content was unknown. There was also evidence to suggest that those two files had potentially been removed from the Starwood network. Six days later, on November 19, 2018, investigators were able to decrypt the files, and found that one contained an export of a table from the Starwood Guest Reservation Database containing guest data, while the other contained an export of a table holding passport information.

At this point, the writing was on the wall, and it was written in neon blinking lights. Hackers had breached Starwood's IT network and had stolen customer details from its guest reservation database.

What followed is now already very well documented. The hotel chain notified authorities and went public with its data breach disclosure on November 30, revealing a breach that impacted around 500 million customers, breach stats that the company later updated in January 2019, and again in March.

According to Sorenson's prepared statement and an update on the Starwood breach notification website, these are the latest stats surrounding the Marriott breach:

  • 383 million guest records
  • 18.5 million encrypted passport numbers
  • 5.25 million unencrypted passport numbers (663,000 from the US)
  • 9.1 million encrypted payment card numbers
  • 385,000 card numbers that were still valid at the time of the breach

The Marriott CEO said again that investigative efforts have yet to uncover evidence to suggest that hackers gained access to the encryption key used to encrypt the payment card numbers, meaning that most of the compromised payment card numbers are still useless to attackers.

Furthermore, the total tally of 383 million impacted hotel guests is likely even smaller.

"[I]n many instances, there appear to be multiple records for the same guest, but because of the nature of the data, further de-duplication cannot easily be performed," Sorenson said. "We cannot confidently determine whether records with similar names, or even identical names with different addresses, represent one person or multiple people, but we have concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved."

Sorenson said that disclosing the breach was also a massive effort and involved notifying the FBI, all US State Attorneys General, the FTC, the SEC, regulators in 20 different countries, four major payment card networks and their credit card processing vendors, and three US credit reporting agencies.

An investigative team working on behalf of payment card networks is still looking into the hack, separately from Marriott's team and US authorities.

Answering questions from the Senate subcommittee, Sorenson also addressed a statement made by US Secretary of State Mike Pompeo last year during an interview on "Fox & Friends" where the White House official blamed the hack on Chinese state hackers.

"The short answer is we don't know," Sorenson said when asked about Pompeo's remarks. "I feel quite inadequate about even drawing inferences from the information that we've obtained."

A recording of Sorenson's testimony is available here.

During the same hearing, Equifax's new CEO Mark Begor was also interviewed about his company's 2017 hack. He didn't disclose any new information, as Equifax officials have been in front of Senate committees for more than a year now and the details surrounding the 2017 hack are already known.

We previously published an article about the Equifax hack post-mortem here, if users are interested in finding out how the company was compromised.

Editorial standards