{"id":701,"date":"2024-10-11T02:47:13","date_gmt":"2024-10-11T02:47:13","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=701"},"modified":"2024-10-11T02:47:13","modified_gmt":"2024-10-11T02:47:13","slug":"do-the-marriott-cybersecurity-settlements-send-the-wrong-message-to-cisos-cfos","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=701","title":{"rendered":"Do the Marriott cybersecurity settlements send the wrong message to CISOs, CFOs?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Years after having been hit by a trio of major data breaches <\/a>between 2014 and 2020, Marriott announced on Wednesday settlements both with the US Federal Trade Commission (FTC) and a group of the attorneys general (AGs) from almost every US state.\u00a0<\/p>\n

But the settlements disappointed many in the cybersecurity community, as both the monetary penalties and the cybersecurity requirements negotiated seemed woefully insufficient for a company the size of Marriott, which reported revenue of $23.7 billion last year.<\/p>\n

The lackluster list of cybersecurity requirements sends the wrong signal to enterprise CISOs throughout the country, said Richard Blech, CEO of encryption company XSOC. \u201cIt gives CFOs an out. \u2018Oh my God, that\u2019s all <\/em>that we have to do?\u2019 This allows them to just check the box. They can then minimize [security spend] so that they think they don\u2019t have to spend any more money,\u201d Blech said. \u201cIt is going to take all of the CISO\u2019s negotiating power away. It will slow down the CISO doing something, as it will allow the CFO to say \u2018Let\u2019s put it in next year\u2019s budget.\u2019 They compromised.\u201d<\/p>\n

The two deals \u2014 with the states and the FTC \u2014 were negotiated separately, but in parallel. The security requirements list that each published have overlaps, but the lists are not the same.<\/p>\n

The states collectively negotiated a $52 million payment. The state AGs involved represented 49 US states plus Washington, DC; California did not participate.<\/p>\n

California explained that it did not participate because \u201cthe data at issue in this breach was, at the time, not covered by California\u2019s data breach laws. We addressed that through AB 1130<\/a>, which was inspired by this breach. Please see the October 2019 press release<\/a> announcing this legislation,\u201d said an email from the California Attorney General\u2019s press office.<\/p>\n

Security requirements in the settlements<\/h2>\n

The cybersecurity requirements from the states included:<\/p>\n

A comprehensive information security program that would be \u201cincorporating zero-trust principles, regular security reporting to the highest levels within the company, including the chief executive officer, and enhanced employee training on data handling and security.\u201d<\/p>\n

Data minimization and disposal requirements.<\/p>\n

Component hardening, conducting an asset inventory, encryption, segmentation to limit an intruder\u2019s ability to move across a system, patch management to ensure that critical security patches are applied in a timely manner, intrusion detection, user access controls, and logging and monitoring to keep track of movement of files and users within the network.<\/p>\n

Increased vendor and franchisee oversight, with a special emphasis on risk assessments for \u201cCritical IT Vendors,\u201d and clearly outlined contracts with cloud providers.<\/p>\n

In the future, if Marriott acquires another entity, it must in a timely manner further assess the acquired entity\u2019s information security program and develop plans to address identified gaps or deficiencies in security as part of the integration into Marriott\u2019s network.<\/p>\n

An independent third-party assessment of Marriott\u2019s information security program every two years for a period of 20 years for additional security oversight.<\/p>\n

Marriott will give consumers specific protections, including a data deletion option, even if consumers do not currently have that right under state law. Marriott must offer multi-factor authentication to consumers for their loyalty rewards accounts.<\/p>\n

The FTC requirements included:<\/p>\n

Data minimization: Marriott must implement a policy to \u201cretain personal information for only as long as is reasonably necessary to fulfill the purpose for which it was collected. The companies also must share the purpose behind collecting personal information and the specific business need for retaining it.\u201d<\/p>\n

Comprehensive information security program: Marriott and Starwood are required to establish, implement, and maintain a comprehensive information security program and certify compliance to the FTC annually for 20 years. The information security program must contain robust safeguards, and undergo an independent, third-party assessment every two years.<\/p>\n

Data deletion: The companies must provide a link for customers to request deletion of personal information associated with an email address and\/or a loyalty rewards program account number.<\/p>\n

The FTC found that Marriott had \u201cdeceived consumers by claiming to have reasonable and appropriate data security. Despite these claims, the companies unfairly failed to deploy reasonable or appropriate security to protect personal information. Under the proposed order, Marriott and Starwood will be prohibited from misrepresenting how they collect, maintain, use, delete, or disclose consumers\u2019 personal information.\u201d<\/p>\n

Requirements not specific enough<\/h2>\n

The concern about the requirements was not solely that they were too low level, but that they were not sufficiently specific to be meaningful. For example, they did not specify the nature of the multi-factor authentication to be used or the particulars of a proposed zero-trust effort.<\/p>\n

Two FTC attorneys involved in the Marriott negotiations, who asked that their names not be used, said in an interview with CSO<\/em> that providing many of the specifics would not have been practical, given that the agreement is written to last 20 years.<\/p>\n

\u201cThis is a 20 year order. What is state-of-the-art today will not be state-of-the-art in 2044,\u201d said one of the FTC attorneys. \u201cIt would be like specifying that data was to be backed up with something like an 8-track tape.\u201d<\/p>\n

The FTC staffers said that many of these requirements would be new to Marriott, but they then clarified that they meant \u2018new\u2019 as in capabilities they didn\u2019t have during the initial breaches in 2014 through 2020. They stressed that they did not know what Marriott has added since then.<\/p>\n

Marriott did not respond to a request to clarify.<\/p>\n

The company did, however, issue a generic statement responding to the settlements.\u00a0<\/p>\n

\u201cAs part of the resolutions with the FTC and the state attorneys general, Marriott will continue implementing enhancements to its data privacy and information security programs, many of which are already in place or in progress,\u201d said the statement<\/a>. \u201cProtecting guests\u2019 personal data remains a top priority for Marriott. These resolutions reaffirm the company\u2019s continued focus on and significant investments in maintaining and adapting its programs and systems to assess, identify, and manage risks from evolving cybersecurity threats.\u201d<\/p>\n

Penalties insufficient, say experts<\/h2>\n

Roger Grimes, a defense evangelist at cybersecurity training company KnowBe4, cautioned security executives to not assume that the Marriott issues, which were mostly due to sloppiness and cutting corners, are unique to the hotel chain.<\/p>\n

Don\u2019t think Marriott \u201cis a uniquely bad company poorly implementing cybersecurity controls while the majority of the rest of the world is doing everything right. Most organizations have large gaps in their cybersecurity controls. Most are not doing many basic things right. Marriott is far from an unusual bad actor,\u201d Grimes said. \u201cMost companies are doing cybersecurity controls like Marriott is doing, which is to say, likely doing a lot of the right things, but also with many gaps and many poorly implemented controls. Cybersecurity is often talked about as something we need to take very seriously, but in practice, most organizations have serious gaps.\u201d<\/p>\n

Matthew Webster, CEO of security firm Cyvergence, said he was also concerned about the settlements\u2019 particulars.\u00a0<\/p>\n

\u201cThere are more questions than answers here regarding Marriott, but this settlement seems woefully insufficient. There are obvious challenges that need to be addressed,\u201d Webster said. \u201cThere are the obvious failings such as poor detection methodologies, such as a SIEM, NGAV, EDR, but there are larger pictures to consider.\u201d<\/p>\n

Blech stressed that these lists are not likely what the states or the FTC wanted, but it was the best agreement they could get from Marriott.<\/p>\n

\u201cIt was based on a settlement. That means compromise, which is not good. Marriott does not give a damn about the monetary penalty, that\u2019s just the cost of doing business for them. What they settled for is just a minimum of what they should have been doing anyway and now are made to do it, which they probably dislike far more than the monetary penalty,\u201d Blech said. \u201cThey really should be penalized far more, as in losing some of their properties; that would be far more punitive and effective. A three time offender is just not acceptable.\u201d<\/p>\n

Blech added: \u201cGiven the level of the breaches, they certainly did not engage in best practices or proper cybersecurity hygiene, especially with access controls. And clearly they did not use encryption properly, or at all, where needed.\u201d<\/p>\n

Indeed, Marriott falsely said in court for five years that it had been using robust authentication, when in reality they had not used any encryption at all<\/a>.\u00a0<\/p>\n

A \u2018cascade of multiple failures\u2019<\/h2>\n

\u201cThe fact that it took Marriott years to detect cybercriminals lurking in their systems is unacceptable and could\u2019ve been avoided had their IT leaders been more proactive and strategic about cyber hygiene,\u201d said Marc van Zadelhoff, CEO of email security firm Mimecast. \u201cThis was not one small miss but a \u2018Black Swan\u2019 event that was a consequence of a cascade of multiple failures.\u201d<\/p>\n

Robert Kramer, a VP\/principal analyst for Moor Insights & Strategy, said that the key problem behind the breaches were security issues within the Starwood systems that Marriott inherited during the acquisition.\u00a0<\/p>\n

Marriott\u2019s failing was that they suffered from \u201ca huge lack of due diligence during the acquisition,\u201d and that the new security mandates \u201care not going to be enough,\u201d Kramer said. \u201cThey are not doing nearly enough that is out of the box,\u201d such as using blockchain ledgers.\u00a0<\/p>\n

The new stipulations \u201cdo not dive into enough details to make sure that this doesn\u2019t happen again,\u201d Kramer said. \u201cThis is all about implementing policies without a delivery mechanism of the right success factors.\u201d<\/p>\n

\u201cThe FTC did not come out hard enough, with specific details. They needed to be much harsher. They should not get off with this kind of slap on the wrist. This does not show the proper level of concern about what is needed,\u201d Kramer said. \u201cAnd that undermines what is required to have advanced security. It undermines what enterprises need to require as a standard. It undercuts the spending that the CFO will receive from the CEO.\u201d<\/p>\n

Kramer specifically referenced the states\u2019 requirement for Marriott to be \u201cincorporating zero-trust principles.\u201d Said Kramer: \u201cIt\u2019s just far too loose. It\u2019s an idea. There is no basis and no specificity in what they need to do to implement it. To say \u2018principles\u2019 is ludicrous. It\u2019s a bunch of words just to put words out there. It means absolutely nothing. There is no meaning to it.\u201d<\/p>\n

Katell Thielemann, distinguished VP analyst at Gartner, said that she expects future settlements for other companies to potentially be more stringent.<\/p>\n

\u201cNow that this playbook is in place, I can see it being invoked more frequently and with increasing security mandates as the consequences of the breaches warrant,\u201d Thielemann said. \u201cShould another cyber attack result in different impacts for individuals \u2014 for instance, direct financial harm \u2014 or society \u2014 for instance, as a result of the increasing attacks on critical infrastructure \u2014 the mandated security actions should ratchet up commensurate with those impacts. Now that the playbook is in place, it will hopefully not take 10 years for such settlements to be reached.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Years after having been hit by a trio of major data breaches between 2014 and 2020, Marriott announced on Wednesday settlements both with the US Federal Trade Commission (FTC) and a group of the attorneys general (AGs) from almost every US state.\u00a0 But the settlements disappointed many in the cybersecurity community, as both the monetary […]<\/p>\n","protected":false},"author":0,"featured_media":611,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-701","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/701"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=701"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/701\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/611"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}