What can we learn from the Marriott cyber security incident?

5th December 2018

Stuart Reed
VP, Products

Last week the Marriott International hotel chain revealed a serious cyber security breach concerning the organisation’s Starwood guest reservation system, possibly affecting over 500 million people.

Key details of the attack:

  • The initial intrusion at Starwood occurred in 2014.
  • Marriott’s investigation was sparked by an alert from a cyber security application on September 8th.
  • By November 19th Marriott had decrypted a file that had been dumped from the reservation system and encrypted.
  • Marriott notified the media on November 30th.
  • The backdoor had been in place before, during and after Marriot’s acquisition and integration of Starwood, announced in November 2015.
  • Personal and contact details were contained in the records. Some also had payment card numbers and expiration dates, although these would have been encrypted.
  • 327 million records have been compromised although Marriot believes the number of people involved could come to over 500 million, once the investigation is complete.

The breach looks set to become the largest ever cyber security incident in terms of the number of people whose data has been compromised.


The full costs of the incident might never be known, or at least they’ll be difficult to quantify. The immediate costs of investigating and resolving the problem already include hiring leading security experts.

Extra expense has been incurred in contacting all the affected customers and setting up a dedicated website and call centre to handle queries. Compensation for those individuals is likely to be substantial (a similar breach cost Yahoo $50 million) and there may be legal costs too, depending on how the issue is handled.

Marriott is informing all the relevant regulatory bodies, and in the UK the Information Commissioner’s Office has confirmed receipt of a notice. It’s highly likely that fines will be imposed from a failure to protect personal and confidential data, as was the case with Yahoo, Tesco Bank and Equifax.

Reputational costs

The final costs arising from reputational damage can be the hardest to quantify. Marriott’s share price dropped by 6% the day after the announcement, although historically troughs caused by cyber breaches don’t last long.

A longer-term impact could be a resultant change in the way that institutional investors view acquisitions and mergers. As the initial breach was traced back to before Marriott’s acquisition of Starwood, in the future, regulatory bodies may well require stronger technical due diligence for similar corporate transactions.

Then there is the potential impact on sales. Will consumers shy away from Marriott brands as a result of this breach? Certainly the 500 million people directly affected by it are likely to have trust issues with the brand moving forward.

What are the lessons?

There are a number of useful takeaways from the Marriott breach for those not directly involved in cyber security:

  1. Don’t only look for the obvious cyber attacks – While many forms of malware immediately make themselves known (for example the WannaCry ransomware that crippled the NHS, among many others, in May 2017), hackers who are after valuable, confidential data work behind the scenes. Their goal is to stay hidden for as long as possible to gather as much information, data and system access details as they can. Obvious attacks are also often used as camouflage in orchestrated campaigns, to occupy defenders while the real crime is committed.
  2. Don’t underestimate the value of data – people will pay for it – A distinctive feature of the Marriott breach was the discovery of an encrypted file, presumably created either by the original hacker or someone who had bought the access details from them. Once security experts decrypted the file it was found to hold all the customer records. As the original intrusion was in 2014 it’s very unlikely that some, or all, of the data hadn’t already been extracted and sold on the black market.
  3. Prevent data from being removed – A common method of copying data out of a network, one used in the Marriot attack, is data exfiltration. This technique hides chunks of data inside legitimate-looking data packets, often domain name system (DNS) packets, which pass through defences. It’s not enough to put measures in place that make it harder for intruders to get in, systems need to prevent them from getting the valuables out.

Being proactive reaps dividends

The Marriott hack and the timescales involved reinforce the need to have an active cyber defence strategy; it’s far better than retrospectively fixing holes after they’ve been exploited. Nominet’s interest stems from being the originator of the NTX cyber security platform, which uses DNS packet analysis to detect signs of cyber attacks and blocks them before they cause damage.

The DNS is the ‘phonebook’ of the internet, converting the domain names we know into the numerical ‘real’ addresses that the internet uses. Billions of DNS packets are flying around the internet and internal networks at any one time and are often allowed through cyber defences, as they are vital for the operation of any network.

DNS is the key to Cyber Security

Criminals use DNS in cyber attacks for malware communications, data exfiltration and targeted phishing among other activities, but each attack leaves its mark. Nominet has created technology that ‘listens’ for those marks, picking out and blocking threats hiding within vast amounts of network traffic.

“The Marriott hack is the latest in a long line of hacks that would concern consumers across the world,” said Simon McCalla, Nominet’s CTO.

“Ensuring threat monitoring and security systems are able to catch threats when they first interact with your critical systems is vital. Proactive defence is better than retrospective and with 500 million customers affected by this breach, Starwood Groups are finding this out the hard way.”

Find out more about protecting your network and your organisation with Nominet’s NTX platform.

Demystifying DNS for Cyber Security