Years after having been hit by a trio of major data breaches between 2014 and 2020, Marriott announced on Wednesday settlements both with the US Federal Trade Commission (FTC) and a group of the attorneys general (AGs) from almost every US state.
But the settlements disappointed many in the cybersecurity community, as both the monetary penalties and the cybersecurity requirements negotiated seemed woefully insufficient for a company the size of Marriott, which reported revenue of $23.7 billion last year.
The lackluster list of cybersecurity requirements sends the wrong signal to enterprise CISOs throughout the country, said Richard Blech, CEO of encryption company XSOC. “It gives CFOs an out. ‘Oh my God, that’s all that we have to do?’ This allows them to just check the box. They can then minimize [security spend] so that they think they don’t have to spend any more money,” Blech said. “It is going to take all of the CISO’s negotiating power away. It will slow down the CISO doing something, as it will allow the CFO to say ‘Let’s put it in next year’s budget.’ They compromised.”
The two deals — with the states and the FTC — were negotiated separately, but in parallel. The security requirements list that each published have overlaps, but the lists are not the same.
The states collectively negotiated a $52 million payment. The state AGs involved represented 49 US states plus Washington, DC; California did not participate.
California explained that it did not participate because “the data at issue in this breach was, at the time, not covered by California’s data breach laws. We addressed that through AB 1130, which was inspired by this breach. Please see the October 2019 press release announcing this legislation,” said an email from the California Attorney General’s press office.
Security requirements in the settlements
The cybersecurity requirements from the states included:
- A comprehensive information security program that would be “incorporating zero-trust principles, regular security reporting to the highest levels within the company, including the chief executive officer, and enhanced employee training on data handling and security.”
- Data minimization and disposal requirements.
- Component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder’s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.
- Increased vendor and franchisee oversight, with a special emphasis on risk assessments for “Critical IT Vendors,” and clearly outlined contracts with cloud providers.
- In the future, if Marriott acquires another entity, it must in a timely manner further assess the acquired entity’s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott’s network.
- An independent third-party assessment of Marriott’s information security program every two years for a period of 20 years for additional security oversight.
- Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts.
The FTC requirements included:
- Data minimization: Marriott must implement a policy to “retain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected. The companies also must share the purpose behind collecting personal information and the specific business need for retaining it.”
- Comprehensive information security program: Marriott and Starwood are required to establish, implement, and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years. The information security program must contain robust safeguards, and undergo an independent, third-party assessment every two years.
- Data deletion: The companies must provide a link for customers to request deletion of personal information associated with an email address and/or a loyalty rewards program account number.
The FTC found that Marriott had “deceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete, or disclose consumers’ personal information.”
Requirements not specific enough
The concern about the requirements was not solely that they were too low level, but that they were not sufficiently specific to be meaningful. For example, they did not specify the nature of the multi-factor authentication to be used or the particulars of a proposed zero-trust effort.
Two FTC attorneys involved in the Marriott negotiations, who asked that their names not be used, said in an interview with CSO that providing many of the specifics would not have been practical, given that the agreement is written to last 20 years.
“This is a 20 year order. What is state-of-the-art today will not be state-of-the-art in 2044,” said one of the FTC attorneys. “It would be like specifying that data was to be backed up with something like an 8-track tape.”
The FTC staffers said that many of these requirements would be new to Marriott, but they then clarified that they meant ‘new’ as in capabilities they didn’t have during the initial breaches in 2014 through 2020. They stressed that they did not know what Marriott has added since then.
Marriott did not respond to a request to clarify.
The company did, however, issue a generic statement responding to the settlements.
“As part of the resolutions with the FTC and the state attorneys general, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress,” said the statement. “Protecting guests’ personal data remains a top priority for Marriott. These resolutions reaffirm the company’s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.”
Penalties insufficient, say experts
Roger Grimes, a defense evangelist at cybersecurity training company KnowBe4, cautioned security executives to not assume that the Marriott issues, which were mostly due to sloppiness and cutting corners, are unique to the hotel chain.
Don’t think Marriott “is a uniquely bad company poorly implementing cybersecurity controls while the majority of the rest of the world is doing everything right. Most organizations have large gaps in their cybersecurity controls. Most are not doing many basic things right. Marriott is far from an unusual bad actor,” Grimes said. “Most companies are doing cybersecurity controls like Marriott is doing, which is to say, likely doing a lot of the right things, but also with many gaps and many poorly implemented controls. Cybersecurity is often talked about as something we need to take very seriously, but in practice, most organizations have serious gaps.”
Matthew Webster, CEO of security firm Cyvergence, said he was also concerned about the settlements’ particulars.
“There are more questions than answers here regarding Marriott, but this settlement seems woefully insufficient. There are obvious challenges that need to be addressed,” Webster said. “There are the obvious failings such as poor detection methodologies, such as a SIEM, NGAV, EDR, but there are larger pictures to consider.”
Blech stressed that these lists are not likely what the states or the FTC wanted, but it was the best agreement they could get from Marriott.
“It was based on a settlement. That means compromise, which is not good. Marriott does not give a damn about the monetary penalty, that’s just the cost of doing business for them. What they settled for is just a minimum of what they should have been doing anyway and now are made to do it, which they probably dislike far more than the monetary penalty,” Blech said. “They really should be penalized far more, as in losing some of their properties; that would be far more punitive and effective. A three time offender is just not acceptable.”
Blech added: “Given the level of the breaches, they certainly did not engage in best practices or proper cybersecurity hygiene, especially with access controls. And clearly they did not use encryption properly, or at all, where needed.”
Indeed, Marriott falsely said in court for five years that it had been using robust authentication, when in reality they had not used any encryption at all.
A ‘cascade of multiple failures’
“The fact that it took Marriott years to detect cybercriminals lurking in their systems is unacceptable and could’ve been avoided had their IT leaders been more proactive and strategic about cyber hygiene,” said Marc van Zadelhoff, CEO of email security firm Mimecast. “This was not one small miss but a ‘Black Swan’ event that was a consequence of a cascade of multiple failures.”
Robert Kramer, a VP/principal analyst for Moor Insights & Strategy, said that the key problem behind the breaches were security issues within the Starwood systems that Marriott inherited during the acquisition.
Marriott’s failing was that they suffered from “a huge lack of due diligence during the acquisition,” and that the new security mandates “are not going to be enough,” Kramer said. “They are not doing nearly enough that is out of the box,” such as using blockchain ledgers.
The new stipulations “do not dive into enough details to make sure that this doesn’t happen again,” Kramer said. “This is all about implementing policies without a delivery mechanism of the right success factors.”
“The FTC did not come out hard enough, with specific details. They needed to be much harsher. They should not get off with this kind of slap on the wrist. This does not show the proper level of concern about what is needed,” Kramer said. “And that undermines what is required to have advanced security. It undermines what enterprises need to require as a standard. It undercuts the spending that the CFO will receive from the CEO.”
Kramer specifically referenced the states’ requirement for Marriott to be “incorporating zero-trust principles.” Said Kramer: “It’s just far too loose. It’s an idea. There is no basis and no specificity in what they need to do to implement it. To say ‘principles’ is ludicrous. It’s a bunch of words just to put words out there. It means absolutely nothing. There is no meaning to it.”
Katell Thielemann, distinguished VP analyst at Gartner, said that she expects future settlements for other companies to potentially be more stringent.
“Now that this playbook is in place, I can see it being invoked more frequently and with increasing security mandates as the consequences of the breaches warrant,” Thielemann said. “Should another cyber attack result in different impacts for individuals — for instance, direct financial harm — or society — for instance, as a result of the increasing attacks on critical infrastructure — the mandated security actions should ratchet up commensurate with those impacts. Now that the playbook is in place, it will hopefully not take 10 years for such settlements to be reached.”