Security Week 49: Hacking Dell and Marriott

Last week was marked by two major leaks of personal data of users. Dell has identified an invasion of its own network. The addresses and names of clients, as well as hashed passwords, which were forcibly reset for all users, flowed away. Leak in the hotel chain Marriott was bigger. Back in 2014, hackers gained access to the Starwood Hotels customer database — this hotel chain was acquired by Marriott in 2016.

Unauthorized access to the customer database was discovered only in September of this year. According to preliminary data, 500 million Starwood customers suffered, while 327 million guests lost their names, physical and electronic addresses, telephone and passport numbers, booking dates and other private information. This is a very serious leak, comparable to the attack on the service Yahoo.

In a rather restrained message on the Dell website it says about the detection of the attack on November 9. For more than three weeks, it was not possible to reliably establish the fact of theft of the user database; it is only known that unauthorized access to it took place. Forcefully resetting passwords for all company customers registered on Dell.com is therefore an extra precaution. The company encourages its users to use strong passwords and not to reuse passwords on different services.

It is interesting to look at the recommendationsDell to create strong passwords. At least 8 characters, small and large letters, at least one number. Do not use obvious words, such as last name or street name. It is proposed to come up with a passphrase, from the first letters of which create a password. The reliability of password protection with the help of hashing on the company's side is also explained in detail: a specific algorithm is not disclosed, but it is reported that it was tested during an independent examination.

In general, Dell is showing a good example of a cyber incident response: customers were notified, data leaks were stopped, a company was hired for a security audit, and law enforcement agencies were notified. And all this with a (presumably) small scale of data leakage, although this is not only a matter of passwords: the Dell customer list also has value and, alas, can be used for further attacks already on them.



But Marriott is much more complicated. According to the report of the company, unauthorized access to the data Starwood Hotels - at that time an independent organization - was obtained back in 2014, and the purchase of a competing hotel chain did not help to detect data leakage. Only on September 8 of this year, a certain “internal security system” recorded an attempt to access the database. Then there was an investigation, during which an encrypted copy of the database was found: presumably it was copied for subsequent exfiltration from the corporate network. The fact of downloading the database was not fixed, but given that the corporate network was hacked for four years, there is no doubt that the attackers had access to customer data.

And to what? It was possible to estimate the damage after deciphering a copy of the data. An estimated 500 million Starwood customers have been affected. 327 million records contain complete information about the client: when he called in and left the hotel, mailing address, passport number, and so on. Information “on a number of customers” also included encrypted payment information — a credit card number and expiration date. There is a possibility that hackers have access to information that allows decrypting these payment data. For the rest (supposedly) 100+ million customers leaked limited information about the name and address.

It can be assumed that the problem was precisely the integration of the newly acquired company, including its information services, more precisely, the lack thereof: Starwood continued to work as an independent structure after the purchase (partly because of that, the hotels owned directly by the Marriott network did not suffer). It is clear that such large business transactions take a very long time, and it is possible that the data leak was detected just during an attempt to merge two different IT systems. Affected customers are promised email notifications and offer a free subscription to a service that tracks the appearance of private data on the network. Promised and increased security corporate infrastructure Starwood.

Marriott data leakage has a lot in common with the identity theft of Yahoo email users. Then there was also a leak of data on 500 million users, the hacking also could not be detected for a long time - the leak allegedly occurred in 2014, and revealed it in 2016. In October last year, another incident became known, during which the data of all three billion users of the company allegedly leaked. Finally, Yahoo was in the process of negotiating the sale of Verizon’s business at the time, but the leakage became known before the transaction, and not after. As a result, the value of the company during the takeover fell by $ 350 million - consider the direct financial damage from the cyber attack.

Even if the data of Starwood's clients' credit cards did not suffer, cybercriminals actively monetize access to the loyalty programs of the hotel chains themselves. In a small study of the cybercriminal quotations of Kaspersky Lab expert David Jacobi, you can get an idea of ​​the value of accounts of various services on the black market. Accounts Netflix, Spotify, Steam go for a couple of dollars apiece at retail, and for a few cents - if in bulk. For $ 10 you can get 100 thousand combinations of email and password of users from a particular country. Regular change of passwords and the use of a unique password for each service will definitely benefit everyone, regardless of the news about the next major hacking.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.