Nation States Not Snoozing on Starwood Reservations Breach

The hotel industry has an often-used adage that explains the business in the fewest possible words: “heads in beds.” When hotels think security, they are focused on your personal security and physical security, but recent events across the industry have aptly demonstrated that focus needs to be beefed up in the information security realm.

When Marriott’s Starwood Reservation system data breach was first announced, the extent of the breach, while extraordinarily large (500 million guests), appeared to be restricted to information associated with one’s credit/debit cards (8.6 million cards) and name/address type data and a few passport numbers. This type of breach, while certainly an inconvenience, is more easily ameliorated than the type of breach which puts your personally identifiable information (PII) at risk.

Then we learned, via a 4th January Marriott statement, that the ‘few passport numbers’ were really the data on 5.25 million passports, with an additional 20.3 million passport numbers which were stored in encrypted format. Marriott advised that the Starwood Reservation System was put to sleep at the end of 2018, and now all reservations are running through the Marriott system.

Hotel Breaches on the Increase as Company Insiders Targeted

The timing of the breach, according to Marriott’s statement, began in 2014 and was discovered in 2018 when the intruder had taken the information and created a duplicative database of the Starwood data stores. The timing is important, as the intrusion began before Marriott had acquired the assets of Starwood Hotels & Resorts Worldwide.

While criminals could sell and use the credit/debit card data and engage in identity theft, nation state actors have a more nefarious long-term investment perspective – an intelligence targeting portfolio.

The creation of a Department of Justice working group to combat China’s corporate espionage is focused on both cyber espionage as well as human intelligence activities by Chinese intelligence.

Take an inventory of breaches and the type of data lost/compromised during the 2013-2018 timeframe and one can see the pieces of the personally identifiable information (PII) puzzle being put together through active targeting across the various sectors – hotel, entertainment, finance, communications, government, healthcare, social networks, email, etc.

Is there enough information there to put together an approach to your insider – your employees, your executives and other staff members who have direct access to your company’s most sensitive systems and information?

Coercive Approach Targets Key Company Insiders

There is ample evidence of Chinese counterintelligence operations targeting cybersecurity companies and managed service providers (MSP) in order to penetrate entities of interest.

Perhaps a coercive approach to your insider is the avenue chosen - an avenue where the long-term compromise and access isn’t the goal, but rather instant actionable information – the one-off and the collaborative approach has not worked, or is assessed as being rejected.

A coercive approach can be created from the world of unsavory or extremely personally sensitive information recently compromised (think Ashley Madison, Premera Blue Cross, and the Office of Personnel Management). The threat utilized is the revelation of a personal peccadillo (Ashley Madison), or personal health issues (Premera), or the information which the government’s background investigation revealed, that is not common knowledge nor would you desire it become such (OPM).

While coercive approaches have little long-term utility, the China playbook includes blackmail and extortion. Similarly, China’s human intelligence approaches detailed via the compromises revealed by DOJ in 2017/2018 demonstrate they also have a firm handle on the collaborative approach of inducing individuals to cooperate by floating their economic or egotistical needs.

Those targeting folios on your insider detailing their financial situation (Equifax) which would include bankruptcy, indebtedness, health care expenses, etc. serve to reveal those who are most in need to maintain family fiscal solvency.

The question which one needs to be asking concerns your insider: are your employees susceptible to a collaborative approach, where the nation state is scratching an itch or filling a need and inducing your insider to collaborate, or a coercive approach where your insider feels they have been placed between a rock and a hard place?

Something to consider.