Given Marriott’s general cybersecurity history, expectations for the chain are not very high at present. Thus, a recent data breach that “only” compromised one property and “only” resulted in the theft of some 300 to 400 customer credit card numbers seems relatively benign next to its prior incidents: the 2014 mega-breach that impacted some 340 million customers worldwide (and was not revealed until 2018), and the 2020 breach that exposed personal profile details of 5.2 million guests.
The data breach took place at the BWI Airport Marriott near Baltimore, and Marriott says that it is directly contacting the 300 to 400 guests that had credit card information exposed. A social engineering attack was executed on a member of the hotel staff, who unwittingly granted access to the property’s network to the hacker.
Another data breach for Marriott, but involving only one property
A statement from Marriott indicates that the attacker only had access to the BWI Airport Marriott systems for six hours. However, that was long enough to exfiltrate about 20GB of data. This apparently was mostly composed of “non-sensitive” hotel business information, but also contained the hotel’s payment and reservation records containing customer credit card information.
Given that the hotel has 310 rooms, it is possible that the attacker only accessed information for guests that were checked in at the time or had upcoming reservations; information leaked to Databreaches.net indicates that the data breach may have happened sometime in late May 2022.
Marriott confirmed that social engineering was used and that one employee at the hotel was tricked into giving over access to their computer, presumably by phone. The data breach appears to be limited to just that property as the associate did not have access to Marriott’s broader network. However, the attackers apparently did attempt to privately extort Marriott corporate with information about the data breach before they released some of the documents they stole to the public as proof.
Located near Baltimore’s BWI Airport, the hotel is frequently used by flight crews that are in the midst of travel. The hackers released travel authorization files for several of these crew members that exposed full names, flight numbers and arrival times, employment position and room number in addition to the credit card details (including CVV and expiry date) used for booking (generally an airline corporate card). And though Marriott said that the hotel business information that was stolen was “non-sensitive,” DataBreaches.net reports seeing wage data for employees and a personnel assessment for at least one person.
Social engineering on the rise as automated defenses improve
While ransomware and phishing attacks that deliver backdoor malware are still the kings of the cyber crime world in terms of dollar amounts, recent statistics and surveys indicate that social engineering is on the rise as a preferred attack method. This may be a response to a general improvement in automated defenses and tools that are capable of reliably shutting down attackers of more modest skill; social engineering allows an attacker to skip most of the technical process if they can just find one employee that is susceptible to being tricked.
Neither Marriott nor the hackers responsible released much in the way of details about how the social engineering attack unfolded, but given the circumstances it was most likely by pretending to be from Marriott technical support staff and convincing the victim to either visit a phishing page, directly tell them what their login credentials were, or open up a remote desktop connection allowing the attackers to walk in without credentials.
The lattermost of these social engineering possibilities has been a common scam for years now, with the scammer often calling on the phone, pretending to be from Microsoft’s technical support team and convincing the victim to open a remote session due to detection of a “virus” or “intrusion” or something of that nature. Along with many other types of cyber crime, remote desktop scams surged in 2020 as companies transitioned to work-from-home models for many of their employees.
And though cryptocurrency has hit a lull period in 2022, its massive surges in recent years prompted a lot of new social engineering activity on social platforms such as Facebook and Instagram. The most common scams are “romance fraud” that involve fake online dating, and fake crypto investment opportunities. Though these attackers are usually just looking for victims to send them money, there is no reason they could not be altered to fish for credentials or openings into a company network by approaching employees in their personal online lives.
Roger Grimes, data-driven defense evangelist at KnowBe4, suggests that social engineering awareness training needs to be included in regular company data breach efforts that focus on phishing and malware: “Organizations need to ensure that all employees are frequently educated about this type of social engineering, receiving training at least once a month followed by simulated phishing tests, to see how well employees understood and deployed the training. Employees found to be susceptible to this particular type of phishing attack should be required to take more and longer training until they have developed a natural instinct to put these types of attacks.”
Jack Chapman, VP of Threat Intelligence at Egress, concurs but adds that policy and technology also need to be updated to counter the growing possibility of a social engineering data breach: “Many organizations have established security awareness training programs to try to prevent social engineering attacks such as phishing – but training alone is insufficient to mitigate the risks. Organizations need to deploy a combination of the right technology, the right policies and the right training to ensure their people are protected from this type of attack.”
Steve Moore, chief security strategist with Exabeam, notes that the “technology” portion of this should focus on mitigation measures to contain the attacker once they trick an employee into giving up access: “Even with social engineering, there’s typically a short list of methods employed by the adversary post-contact. Therefore, defenders must focus on the truths of what comes next – credential theft and misuse, along with deviant behavior.”