Skip to main content
banner image
venafi logo

Marriott Data Breach: 500 Million Reasons Why It’s Critical to Protect Machine Identities

Marriott Data Breach: 500 Million Reasons Why It’s Critical to Protect Machine Identities

Marriott data breach encryption
December 4, 2018 | Scott Carter

Every time I see a breach such as the recent one at Marriott, I look for details of how encryption was misused to hide or prolong the breach and the resulting exfiltration. (It’s an occupational hazard of working for the leader in machine identity management). But even though I know that encryption plays a critical role in many of these breaches, details about how keys and certificates were misused in attacks are not often forthcoming. 

Earlier this year, we did see an example of how a certificate gone wrong may have prolonged a breach. The U.S. Government Accountability Office (GAO) released a comprehensive report that revealed that an expired certificate on an SSL/TLS inspection system was not replaced for 10 months or so. This may have allowed attackers to exfiltrate data undetected for an extended period of time. 

And now Marriott reveals that intruder tactics included encrypting information from the hacked database, a move that is often used to avoid detection when removing the stolen information from a company’s network. This type of blind spot is not as uncommon as we’d like to think. A recent Venafi study revealed that “Nearly a quarter (23%) of security professionals don’t know how much of their encrypted traffic is decrypted and inspected.”

According to Michael Thelander, Director of Product Marketing at Venafi, “Session logging might tell where SSH keys were used while the attackers were in the network, but there’s a real possibility that keys could have been exfiltrated in parallel with the data. If that’s the case, we may not know it happened until newly-decrypted payment card data begins to drive new fraud schemes.”

Even worse, the company cannot confirm that stolen keys are all accounted for. According to Krebs on Security, “customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.”

As Robyn Weisman states in her coverage of the GAO report on the Equifax breach, “what should have been a secure tunnel for the safe transmission of legitimate data became a secure tunnel for exfiltrating stolen private financial records.” In the case of Marriott, the information includes some combination of name, mailing address, phone number, email address, passport number.

Although Marriot “deeply regrets [what] happened”, the challenge remains to determine what went wrong when acquiring the besieged Starwood, and how baited keys and certificates may still be an issue.  

To me, this only underscores why organizations need to have a complete an accurate accounting of all of their machine identities, such as TLS certificates and SSH keys. Continuous monitoring of all keys and certificates is the only way that organizations can detect when any of these machine identities is doing something that may indicate suspicious activity. Any key or certificate that is out of your control is one that is available for use by attackers. 

As Thelander sums up, “Without constant visibility into the location of the keys and certificates that protect machine identities, there’s no way of knowing what systems are vulnerable, where pivots have occurred, and where new attacks will be pointed.”

Related Posts

Like this blog? We think you will love this.
Featured Blog

How to Remediate Keys and Certificates After a Data Breach

The Solution

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more