Blog post

7 Lessons from Marriott Starwood breach and what Mueller teaches us

By Avivah Litan | December 10, 2018 | 2 Comments

Starwood emailed me a couple days ago telling me my data was part of their 500 million record customer data breach.  The remediation actions they offered me:

  1. call their call center,
  2. read their email,
  3. proactively learn if my data is for sale (without a URL to enroll in that service)

…only served to infuriate me.  My privacy was violated and there’s nothing I can do about it. It’s too late.

To be honest, I don’t really blame Starwood – the problem is much bigger than anything they can solve on their own.  After all, if the NSA and CIA can’t keep determined bad guys out, how can a hotel chain do the same?

Here are the lessons that stand out to me from the Marriott/Starwood breach:

  1. Mueller indictment shows even the smartest security investigators can’t find stealth malware

The July 2018 Mueller indictment against the DNC hackers proved, in black and white legalese, that even the most skilled and expert forensic security firms can’t always find and remove advanced malware from an organization’s networks.

That indictment revealed that the forensic security firm hired by the DNC left behind a virulent piece of malware with substantial consequences to the 2016 U.S. election, after the firm supposedly cleaned up the DNC machines and network.

See Figure 1 for Counts 32 and 33 below from that indictment.

Figure 1: July 2018 Mueller Indictment


Surely most organizations don’t have the requisite skills or resources to keep the stealthy bad actors out if even the best security firms can’t.

  1. Attacks against hotel chains continue

The Marriott/Starwood breach did not happen in isolation. There are hundreds of ongoing attacks against all kinds of companies, including major hotel chains.

Threat research and prevention firm Diskin Advanced Technologies did a quick surface scan of phishing campaigns against just five major hotel chains for the 48 hours ending December 3rd, and discovered 53 active campaigns, with an average of 10 campaigns per hotel chain. 21 of the campaigns against the five hotel chains were attributed to the same actor, and were designed to collect sensitive information on individuals.

In the same 48 hour period, phishing campaigns against just these five hotel chains represented about a third the amount of phishing accounts against over 100 financial organizations. Clearly hotel chains have data the criminals are very interested in, such as targets’ travel patterns and passport data.  (Many data breaches start with targeted phishing attacks; the phishing attacks analyzed here are of a different ilk as they aim for the masses to elicit hordes of individual consumer responses. But they provide strong indicators that hotels are prime criminal targets).

See Figure 2 below for more context on these phishing campaigns.

DAThotels graphsrevised

Source: Diskin Advanced Technologies, December 2018

  1. Still No Effective National Cybersecurity Defense Strategy that extends across the Private/Public Sectors. At a minimum, the U.S. government should proactively hunt for these bad actors and deliver IOCs (indicators of compromise) to private industry and public organizations that they can then use to block many hacks.
  1. No U.S. Federal Breach Disclosure law and No U.S. Federal Data Privacy laws (similar to the EU’s GDPR) that come with predictable penalties.
  1. No notable enforcement of data security by U.S. consumer protection agencies. For example, despite the enormity and sensitivity of the Equifax breach of some 145 million American credit bureau records, the credit bureau has so far not been fined by the two U.S. regulatory agencies with jurisdiction over such matters – the FTC and the Consumer Financial Protection Bureau.  See GAO’s Equifax Report; Company left private data vulnerable on several fronts
  1. Most importantly, consumers have no control over their data privacy in today’s information processing environments. This is true in all aspects of modern electronic business and life, whether consumers use search, social media, ecommerce sites, credit cards, online financial services, pay taxes, receive government benefits, travel, or just about anything else.

7.      Decentralized Identity; it’s time has come – but will it come?

Blockchain distributed ledger technology is being used for decentralized identity use cases implemented by various technology companies and end users. (Please see Cool Vendors in Blockchain Technology and Predicts 2019: Blockchain Technology ).  Commonly referred to as ‘self-sovereign’ identity, this tech enables consumers to control their own identity data and release it selectively to whomever they wish to release it to.

The data can and should be released in a privacy respecting manner so that proof of it exists (using features such as Zero Knowledge Proofs or other data anonymization techniques) without having to disclose identity data details.

I’ve always been a skeptic of federated identity schemes for consumers since they emerged, because the key sticky business issue – i.e. having an originating identity provider takes responsibility and liability for a consumer’s identity – was never resolved. With Self-Sovereign Identity, the user takes responsibility for their own identity, which addresses the previously intractable business problem.

Of course many obstacles remain before we see ‘self-sovereign identity’ implemented in a truly decentralized manner without any central authority controlling the information. The first and foremost obstacle is gaining consumer and organizational adoption, which will be difficult to achieve as decentralized identity data turns current business and technology models —  e.g. search, advertising, social media, and financial services — upside down.

But it’s certainly nice to see a possible way forward.  Maybe one day I will stop receiving infuriating notices that my personal data has been compromised in yet another data breach that I have absolutely no control over.  Losing control over my identity data and the algorithms that leverage it is definitely an existential threat that I would like to eliminate. 



Comments are closed


  • Our government has failed miserably on its primary objective, citizen protection. The cyber security industry has done little more. Decades of promises for a safe internet, yet we still do not have a citizenry advocacy for protected E-Government and E-Commerce. The worst part is the lack of understanding that securing citizen electronic transactions is essential to our national economy and national security. Regulatory guidance is inconsistent and there are really no incentive for commercial organizations to fix the problem. We largely have the wolves guarding the hen house. Even Government caters to the status quo lobby. Are biggest failure is using and maturing preventive solutions as we loose focus on the next potential saving technology. Decentralized Identity via blockchain solutions still need to be based on a root of trust to ensure the accuracy and consistency of authoritative information. Our industry must come together to achieve a safe Internet for our common good. Citizen advocacy must make sure technology is usable and secure by design. Blockchain is not the technology panacea and if applied improperly it will become another in a long line of failures.

  • Avivah Litan says:

    Well said Daniel! Thank you for your insights.