If you were one of the 500 million users affected by the December 2018 Marriott/Starwoods password breach, your credentials were exposed, your personal details were collected as was, possibly, your credit card information on file.
The breach happened in a corporate customer database. While credential exposure is nothing new on the corporate side, the sheer scale of this massive breach has a number of obvious, and a few not so obvious, implications to the 500 million affected customers. Chances are, if you travel and stay at a hotel, this breach affects you.
There are a number of striking things about this breach.
- The sheer size of the breach — 500 million records
- The attack might have happened as far back as 2014
- Passport numbers, when stored with a users’ profile, were also compromised
- It is believed to be a state-sponsored attack because the user IDs and passwords have not shown up for sale…yet!
Let’s concentrate solely on the password breach aspects.
For the 500 million customers who have forever been compromised by the breach, the overall outlook is worse. Statistically:
- 250 million of the compromised users of this breach will have used that same comprised password on multiple websites.
- Of those 250 million users, 175 million won’t change that breached password even a year later.
- Further 100 million users will still be using that same compromised password a full 3 years later.
These stats are incredibly disturbing.
Individual users can’t do anything proactively about the corporate protection(s) related to the protection of their credentials in an IdP. In this case, most of the information that Marriott/Starwood collected was necessary for them to do business and you couldn’t have stayed on any property without providing that information. However, there are corporate and consumer controls that could help both reduce the risk of the corporate identity database being hacked and your consumer credentials from being leveraged in the future.
We don’t know how the hacker accessed the database, but we can safely assume the hacker did so through an administrative account. That admin account may have been brute force attacked — if so, even a complex password would eventually be cracked. Perhaps a password policy to change the passwords of the admin accounts every so often. However, few companies actually enforce that on service accounts with administrative access. Password policies are important, but even the most complex password is vulnerable once the credential store is hacked.
That’s why two factor, or multifactor authentication (MFA) is urgently needed. It requires an additional proof factor before allowing access. Even if 100% of the credentials are exposed, a second factor can be invoked before allowing access to resources/applications. This breach illustrates the necessity of an additional factor, or more, for at least administrative access to essential customer data.
Optimal IdM has a robust MFA offering that has been named “Best Multifactor Authentication Solution” in the 2017 Government Security News (GSN) Homeland Security Awards (HSA) Program under the Cyber Security Products and Solutions category. Contact us at firstname.lastname@example.org for more information.
This is Part I of a 2 Part Blog…click here for Part II