Too often, the true value of an organization’s data is only realized after a breach has occurred. A security event provides a moment of clarity where all of the worst case scenarios suddenly come into terrifying focus. Case in point: the recent Marriot breach.
On November 30th, Marriot announced a breach of the Starwood guest reservation database. Marriott learned during an internal investigation that there had been unauthorized access to the Starwood network since 2014. This breach may have effected up to 500 million guests.
According to the original Marriott November press release:
“The information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences”. Compromised information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). Marriott has not been able to rule out that the hackers were able to gain access to the encryption keys.
On December 12, the NY Times and Washington Post reported that preliminary indications show the Marriott breach was executed by hackers affiliated with the Chinese Ministry of State Security (MSS). It would be easy for an organization like Marriott to say “We are just a hotel, it’s not like we have state secrets.” In application, how could a state actor like the Chinese Ministry of State Security use this data? Let’s run through the recent Marriot breach and see how a foreign actor could use this breach to compromise US national security.
Marriott International, Headquartered in Bethesda, Maryland is a preferred provider of lodging for US Government employees traveling domestically and internationally. The Marriott family of is used by other governments as well. Carl Ghattas, is the Executive Assistant Director of the FBI National Security Branch and is the head of all FBI counterintelligence activity. And John Miller is the Deputy Commissioner of Intelligence & Counterterrorism for the NYPD. It is safe to assume that whenever these two individuals are in the same city at the same time, it would be of interest to the Chinese Ministry of State Security.
Beyond that, data gathered on other people staying at the same properties during the same time period can be very interesting to state intelligence agencies. Using the power of big data, this data could be cross-referenced against other hotel stays or other data breaches to provide insights on personnel and operations. Data from incidents like the breach of private equity firm Apollo reported in July (126 Million Records) or the breach of marketing data giant Exactis in June (132 million records) are widely available on the dark web, and contain employer, family structure and project income data.
In this scenario an organization like MSS could use an event where Ghattas and Miller were both present and pull the list of all other attendees at the same hotel. Then use big data analytics to spot trend where these individuals are present at other events. They could then bounce the list against the 126 million records available in a breach like Apollo. This could help MSS weed out uninteresting hotel guests of identify guests with an interesting work history. Combining Work history with travel patterns for individuals and groups with big data processes could enable an intelligence agency to assign a meta score to individuals and determine the relative likelihood that an individual would have access to classified information or the ability to influence tactics and practices on intelligence events.
Sources in the Trump administration say there are plans to declassify intelligence reports to reveal Chinese efforts, dating to at least 2014, to build a database containing names of executives and American government officials with security clearances.
In a sinister application of this same data set the Ministry of State Security of could use this data to identify individuals meeting with officials from the UN Human Rights Council.
In November 2015 the G20, which China is a member, agreed to not conduct cyber economic espionage.
As it turns out, organizations like Marriott may indeed have “state secrets” within their data stores.
It is vital that any organization understand the location, value and potential liability associated with is data. It is a healthy exercise to explore what is the worst case scenario of a data breach.
Marriott Announces Starwood Guest Reservation Database Security Incident
https://www.npr.org/2018/12/12/675983642/chinese-hackers-are-responsible-for-marriott-data-breach-reports-say
https://www.wired.com/story/apollo-breach-linkedin-salesforce-data/
https://www.fbi.gov/investigate/counterintelligence
https://www1.nyc.gov/site/nypd/bureaus/investigative/intelligence-counterterrorism.page