Marriott International CEO Arne Sorenson testified to a U.S.
Senate subcommittee Thursday, apologizing for the massive data breach that
involved 383 million guest records in the Starwood hotels reservation system.
He also shared changes the company plans to make to ward off
future attacks.
Appearing before the Senate Homeland Subcommittee Hearing on
Data Breaches, Sorenson was asked if he believes China was responsible for the
attack.
"The short answer is, we don't know," he said. "And
I feel quite inadequate about even drawing inferences from the information we've
obtained."
Sorenson says Marriott has given the FBI information about
IP addresses and malware tools used in the Starwood system so its investigators
can try to determine the cause.
"We've simply been focused on making sure the door is
closed and communicating with our customers," Sorenson says.
Thus far Sorenson says Marriott has "not found any data
that was removed from the Starwood database on the internet or dark web"
and has not received any confirmed claims of loss attributable to the breach.
He told the panel that Marriott is addressing to the risk of
future cyberattacks with a "layered defense approach and continuous
improvement."
Two key elements of the company's strategy to prevent future
attacks: encryption and decentralized storage of guest data, such as passport
information.
"In the Starwood system it was done locally and then
essentially centralized into the data system," Sorenson said.
"There are pros and cons of allowing it to be entirely
at property level. One of the pros is it's a smaller target, if you will. One
of the cons, on the other hand, is then if each hotel needs the same elaborate
system of cyber defenses, can you make sure that you are delivering that?
"Those are issues we are working through right now. I
think in all likelihood everything, passports, will be encrypted.
"Secondly, I think we'll look very hard at not
centralizing any of it but making sure that we've got appropriate tools at
property level to protect against cyberattacks."
Sorenson outlined the timeline of the breach investigation,
which he said began on Sept. 7, 2018, initiated by an alert from a
cybersecurity tool.
But Sorenson said the investigation -- involving Marriott IT
staff, outside security experts and the FBI -- did not determine until Nov. 19
that the intruder had accessed files containing personal information of
Starwood guests, dating back to 2014.
The company issued a public statement on the breach on Nov.
30.
"We had lawyers and security experts and all sorts of
other folks who were engaged in the conversation about timing, how quickly
could we go," Sorenson said. "We also wanted to make sure we had set
up call centers and websites so that the moment we released this information
publicly, customers had a place to go."
Marriott announced plans to buy Starwood in November 2015
and the acquisition closed in September 2016 for $13.6 billion.
___
Source: Phocuswire