Skip to main content
banner image
venafi logo

Marriott Data Breach: 500 Million Reasons Why It’s Critical to Protect Machine Identities

Marriott Data Breach: 500 Million Reasons Why It’s Critical to Protect Machine Identities

Marriott data breach encryption
December 4, 2018 | Scott Carter

Every time I see a breach such as the recent one at Marriott, I look for details of how encryption was misused to hide or prolong the breach and the resulting exfiltration. (It’s an occupational hazard of working for the leader in machine identity protection). But even though I know that encryption plays a critical role in many of these breaches, details about how keys and certificates were misused in attacks are not often forthcoming. 

Earlier this year, we did see an example of how a certificate gone wrong may have prolonged a breach. The U.S. Government Accountability Office (GAO) released a comprehensive report that revealed that an expired certificate on an SSL/TLS inspection system was not replaced for 10 months or so. This may have allowed attackers to exfiltrate data undetected for an extended period of time. 

And now Marriott reveals that intruder tactics included encrypting information from the hacked database, a move that is often used to avoid detection when removing the stolen information from a company’s network. This type of blind spot is not as uncommon as we’d like to think. A recent Venafi study revealed that “Nearly a quarter (23%) of security professionals don’t know how much of their encrypted traffic is decrypted and inspected.”

According to Michael Thelander, Director of Product Marketing at Venafi, “Session logging might tell where SSH keys were used while the attackers were in the network, but there’s a real possibility that keys could have been exfiltrated in parallel with the data. If that’s the case, we may not know it happened until newly-decrypted payment card data begins to drive new fraud schemes.”

Even worse, the company cannot confirm that stolen keys are all accounted for. According to Krebs on Security, “customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.”

As Robyn Weisman states in her coverage of the GAO report on the Equifax breach, “what should have been a secure tunnel for the safe transmission of legitimate data became a secure tunnel for exfiltrating stolen private financial records.” In the case of Marriott, the information includes some combination of name, mailing address, phone number, email address, passport number.

Although Marriot “deeply regrets [what] happened”, the challenge remains to determine what went wrong when acquiring the besieged Starwood, and how baited keys and certificates may still be an issue.  

To me, this only underscores why organizations need to have a complete an accurate accounting of all of their machine identities, such as TLS certificates and SSH keys. Continuous monitoring of all keys and certificates is the only way that organizations can detect when any of these machine identities is doing something that may indicate suspicious activity. Any key or certificate that is out of your control is one that is available for use by attackers. 

As Thelander sums up, “Without constant visibility into the location of the keys and certificates that protect machine identities, there’s no way of knowing what systems are vulnerable, where pivots have occurred, and where new attacks will be pointed.”

Related Posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more