Hotel chain discovers breach of customer database following acquisition of a competitor

PIPEDA Findings #2022-005

July 15, 2022

---

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Report of findings

Summary

1. On November 30, 2018, Marriott International, Inc. (“Marriott”) publicly announced that it had experienced a data security breach involving unauthorized access to a Starwood Hotels (“Starwood”) database. Starwood was a separate hospitality company acquired by Marriott in September 2016. This access spanned over four years, from 2014 to 2018. Marriott also reported the privacy breach to our office on November 30, 2018. Following its analysis to remove duplicate records, Marriott advised that an attacker (the “attacker” or “malicious actor”) obtained access to personal information contained in up to approximately 339 million records, including up to 12.8 million records where the country-of-residence information was listed as Canada.
2. Given the involvement of records of Canadians and as eleven complaints were received by the Office of the Privacy Commissioner of Canada (the “OPC”), the Privacy Commissioner of Canada commenced an investigation of Luxury Hotels International of Canada, ULC (“Luxury Hotels Canada”), the wholly-owned indirect subsidiary of Marriott International, Inc. (“Marriott”). Luxury Hotels Canada is Marriott’s primary operating company for Canadian hotels. As Marriott cannot exclude the possibility that the breach involved guest records that had been created as far back as 2002, the OPC’s investigation considered Marriott’s:
   1. information security safeguards, including its due diligence in assessing the security safeguards of its acquired assets;
   2. accountability measures with respect to implementing policies and practices such that it can appropriately protect personal information under its control; and
   3. information retention practices.
3. We found that certain allegations in the complaints are well-founded given the inadequacy of Marriott’s safeguard and accountability measures at the time of the breach; they are also conditionally resolved as Marriott has agreed to the OPC’s recommendations. Our investigation found that, even though the attacker introduced malware into the Starwood system prior to Marriott’s acquisition of that system, Marriott failed to identify deficiencies in its testing measures and information security controls or detect the threat in a timely manner. As a result, personal information under Marriott’s control was accessed by the attacker. In particular, our investigation found that Marriott could have detected the breach sooner and minimized the attacker’s activities if it had: (i) more comprehensive logging and monitoring measures in place, (ii) adequately applied its multi-factor authentication access controls, and (iii) adequate accountability measures in place to ensure the ongoing assessment and revision of its security safeguards. Finally, we found that Marriott could have reduced the scale or impact of the breach if it had sufficient measures in place for Starwood systems to ensure the encryption of sensitive information and the timely deletion of personal information.
4. In addition to decommissioning the Starwood database involved in the breach in December 2018, we acknowledge that Marriott has now taken a number of other remedial actions to improve its information security safeguards, and organizational and governance policies. We consider it important that these improvements have also been included in Marriott’s current systems. To ensure this, Marriott agreed to engage an experienced and accredited external assessor to evaluate the enhancements it made to prevent a similar privacy breach from occurring. Marriott also agreed to continue to review its organizational and governance measures to ensure the ongoing assessment of its privacy framework, information security program, information security controls, incident response capabilities, and due diligence process for acquired assets. We believe that these actions will provide further assurances that Marriott has taken measures to ensure the protection of its customer’s personal information in compliance with the Act.

Background and scope

5. Marriott received an internal security alert on September 8, 2018, and later found that an unauthorized party had copied and encrypted information from a guest reservation database on the Starwood network. Starwood was a separate hospitality company that Marriott acquired in September 2016.
6. This breach involved Starwood guest profile and contact details,^{Footnote 1} as well as Starwood Preferred Guest account and reservation information.^{Footnote 2} For a subset of individuals, their passport details (passport numbers, passport country code, or the country of the guest’s passport) and/or encrypted payment card details were also affected. Notably, some but not all passport numbers were encrypted. Although Marriott analyzed the affected data to identify duplicate records, Marriott has so far been unable to completely remove all duplicates. As such, the number of affected records reported by Marriott may still include multiple records relating to the same guest. From its analysis, Marriott understands that approximately 86,000 Canadian passport records were involved and approximately 483,000 of the affected encrypted payment card records belonged to Canadians.^{Footnote 3} The attacker obtained access to this personal information from four tables in the Starwood database for up to approximately 339 million records worldwide (including multiple records relating to the same guest). This included 12.8 million records (again, including multiple records relating to the same guest) where the country-of-residence information was listed as Canada. The oldest affected records were created in 2002.
7. Following its receipt of notice from a managed service provider about a security alert (triggered on September 7, 2018), Marriott began investigating and containing the breach. To contain the breach, Marriott blocked and removed all malware it had detected and associated with the incident (e.g. the web shell installed by the attacker, Remote Access Trojans, and a credential harvesting program). Marriott also applied additional access controls and credential resets (by enhancing multi-factor authentication and implementing IP whitelisting to the database), rebuilt certain servers to enable increased security features, and rebuilt the network devices accessed by the malicious actor.
8. In its response to the breach, Marriott also engaged with an outside law firm and a third party forensic firm, deployed enhanced monitoring and forensic tools to devices on the Starwood network, installed additional logging and monitoring tools (including monitoring hardware appliances) in Starwood’s data centres to alert for suspicious behaviour, and began notifying affected individuals. Marriott also updated its security plan based on its learnings from this incident.
9. Between December 7, 2018 and August 4, 2019, our Office received 11 complaints about the breach. The complainants stated they received a notification letter from Starwood Hotels that informed them that their personal information was impacted by the breach.
10. The complainants alleged that Marriott’s information handling practices failed to protect their personal information.

Issues examined in this report

11. Given the above context, this report examines the following issues and corresponding PIPEDA Principles from Schedule 1 of the Act:
    1. Issue 1: Safeguards – Given the compromise of security safeguards in this breach, was personal information held by Marriott protected by security safeguards appropriate to the sensitivity of the information as required by Principle 4.7 (Safeguards)?
    2. Issue 2: Accountability – The breach involved unauthorized access pre-dating Marriott’s acquisition of Starwood in 2016. When it acquired control and responsibility of the Starwood network, did Marriott demonstrate due diligence and take steps to fulfil its responsibilities to implement policies and practices to protect personal information under Principle 4.1.4 (Accountability)?
    3. Issue 3: Information Retention – Due to the age of some of the personal information involved in the breach, did Marriott retain personal information for longer than necessary? This is relevant to Principle 4.5 (Limiting use, disclosure and retention).
    4. Issue 4: Notification to Affected Individuals and Mitigation Measures – Given that the compromised information presents an ongoing risk of harm for those affected, were the mitigation measures offered by Marriott to affected individuals adequate to protect their personal information from unauthorized use, such as future identity theft, in accordance with Principle 4.7 (Safeguards)?

Methodology

12. In reaching the conclusions set out in the report, our Office considered the following information:
    1. Representations made by Marriott, including the provision of a confidential forensic analysis report, and supporting documentation such as Marriott and Starwood’s relevant policies and procedures; and
    2. Information our Office gathered and analyzed from publicly available sources concerning the breach, including information published by the Information Commissioner’s Office U.K. (the “U.K. ICO”) regarding action they have taken against Marriott in relation to the breach.^{Footnote 4}

Issue 1: Safeguards

13. Principle 4.7 provides that organizations are required to protect personal information by security safeguards appropriate to the sensitivity of the information. The security safeguards must protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification (4.7.1).
14. This section of the report considers the security safeguards that were in place at the time of the breach, along with the security gaps that were highlighted by the breach.

The Starwood network

15. The Starwood network was segmented based on geography, business purpose, and data classification.
16. Having regard to the information accessed in this breach, the Starwood Guest Reservation Database (the “Database”) received payment card data. As such, the Database was located in a network segment referred to as Starwood’s Cardholder Data Environment (“CDE”).

Marriott’s account of the breach

17. Marriott’s investigation found that the malicious actor gained access to a web server in the Starwood network on July 29, 2014, and installed a web shell on that web server. Subsequently, the attacker uploaded files to Starwood’s web server via that web shell. These files were tools that allowed the attacker to harvest legitimate credentials for Starwood’s system and remotely access the Starwood network. In addition to the web shell, the tools uploaded and used by the attacker were:
    1. three different Remote Access Trojans (“RATs”), which are malicious codes or software that allowed them to remotely access the Starwood network;
    2. a credential harvesting program called Mimikatz; and
    3. an open-source virtual private network (“VPN”) tool, which subsequently enabled the attacker in July 2018 to remotely access the Starwood network with their own computer.
18. The credential harvesting program enabled the attacker to access usernames and passwords for legitimate users in the Starwood network, including some administrator accounts. As the attacker obtained the access rights associated with certain administrator accounts, they were able to copy certain information from the Starwood Database into an output file and to compress and encrypt parts of the output file. In particular, the attacker accessed and encrypted personal information from four tables in the Database.
19. Marriott represented that, although it was unable to definitively conclude whether the attacker had successfully ex-filtrated data or what data had been ex-filtrated, its investigation found evidence that the attacker took steps to prepare for the removal of data from the Starwood network.
20. Additionally, Marriott’s investigation discovered a memory-scraping malware that was installed on multiple Starwood servers. This malware was intended to collect payment card data. However, Marriott determined that this malware did not successfully collect any payment card data. Marriott also advised that it does not believe it was connected to the breach examined in this report.
21. Despite the attacker’s first access to the network occurring in July 2014, Marriott was not alerted to the attacker’s activities until September 8, 2018, when it received notice from its managed service provider that a Guardium alert was triggered on September 7, 2018. Marriott learned that the alert was triggered by a user querying certain “record count information” pertaining to a Starwood database table, the “Guest_Master_Profile” table, that contained personal information^{Footnote 5} and had been categorized as sensitive because it contained encrypted payment card data.

Analysis of Safeguards

22. Various kinds of personal information were accessed in the breach: names, phone numbers, mailing address, email address, date of birth, gender, Starwood Preferred Guest account information, reservation information, and communication preferences. Marriott explained that the type of personal information that was accessed varied, and that not all affected records contained all of the personal information data elements listed above. Additionally, in a limited subset of instances, the breach involved passport numbers (some of which were encrypted) and encrypted payment card numbers and expiration dates. The Starwood Preferred Guest program was discontinued in August 2018 when Marriott Rewards, Ritz-Carlton Rewards, and Starwood Preferred Guest were unified under a single new loyalty program called Marriott Bonvoy.
23. While certain of the information involved in the breach could be deemed less sensitive in isolation (e.g. contact phone and address details, Starwood Preferred Guest account information, date of birth), it holds a higher level of sensitivity if and when combined. The sensitivity of this information is particularly heightened when attached to a government identifier, such as a passport number, or financially related information (such as encrypted payment card numbers and expiration dates in some instances).
24. Individuals affected by this breach are at risk because, in this case, an unauthorized actor obtained access to a combination of personal information that gives them real potential to harm individuals (e.g. phishing, fraudulent activities, identity theft). For example, as the compromised information included details about guest accounts, reservations, and, in limited instances, passport numbers or encrypted payment card numbers and expiration dates; a malicious actor with this information would be more capable of executing phishing attacks or impersonating an individual. While in our view this risk remains a concern, we note that Marriott has reported to the OPC that it has not received any substantiated claim of financial loss arising from this incident. Marriott also reported that it has not been made aware of any other harm resulting from this incident, or any phishing of misuse of personal information occurring in connection with this breach. The OPC takes the position that the lack of such awareness is not an indication that adverse incidents have not occurred.
25. Under PIPEDA, the security safeguards to protect this personal information should be commensurate to the sensitivity of the personal information. The safeguards relevant to this breach have been examined below.

Access controls

26. In relation to the attacker’s first access to the Starwood network on July 29, 2014, Marriott advised that it has not been able to determine how the attacker was able to initiate this access and install the web shell on a Starwood web server. Regardless of the method used, the web shell allowed the attacker to install malicious tools, enabling them to harvest legitimate credentials for Starwood’s system and remotely access the Starwood network.
27. Marriott advised that the Database and CDE had various levels of protection including access control lists, username and password controls, anti-virus software, multi-factor authentication, and monitoring tools, backed by a centralized security control center that served as a hub for deploying new alerts and other security measures. Key elements of the foregoing measures were validated through regular Payment Card Industry Data Security Standards (“PCI DSS”)^{Footnote 6} testing of the CDE. Further detail regarding testing activities that organizations should conduct are examined later in this report from paragraph 60. Where the personal information being protected holds a higher level of sensitivity, such as in a certain limited subset of data involved in this incident, the OPC expects organizations to have more authentication factors or layers in place.^{Footnote 7} However, these access controls should also be implemented in a complete manner to ensure their effectiveness. In this breach, it is possible that the attacker was able to surpass these access controls due to:
    1. the malicious tools they installed; and
    2. the incomplete implementation of multi-factor authentication and monitoring tools.
28. The access control lists utilized on the Starwood network meant that each network segment (e.g. the Starwood corporate environment segment vs. the Starwood CDE segment) had separate active directory structures with various levels of credentials. One example of this was that front-desk employees at Starwood and Marriott properties had read-only access to the Database to assist guests with tasks such as check-in or to provide information regarding guest reservations. Another example is database administrator account credentials, which allowed read and write capabilities on the database.
29. As noted earlier, the attacker installed a credential harvesting program, Mimikatz. This allowed the attacker to scan the Starwood server for usernames and passwords stored in system memory. Subsequently, the attacker was able to obtain username and password credentials for Starwood user accounts and database administrator accounts. Notably, since the OPC issued its Preliminary Report of the Investigation to Marriott, Marriott clarified that usernames and passwords were only temporarily stored in system memory.
30. Marriott advised that, before it discovered the breach, it understood that multi-factor authentication had been properly implemented for anyone requiring access to the Starwood CDE and subsequently, the Database. Marriott explained that this understanding was based on the following:
    1. Marriott received Reports on Compliance (“ROCs”) from two different independent security assessors in 2015, 2016 and 2017, regarding Starwood’s compliance with the PCI DSS. The ROCs stated that Starwood had implemented the measures necessary to operate its CDE in compliance with the PCI DSS, including the implementation of multi-factor authentication for anyone requiring access to the Starwood CDE. Marriott advised that it was entitled to rely on the ROCs to establish that MFA had been correctly implemented for access to the CDE.
    2. Around the time of Marriott’s acquisition of Starwood in 2016, Marriott received assurances from Starwood employees that multi-factor authentication had been implemented for administrators.
31. However, while investigating the breach in September 2018, Marriott discovered that multi-factor authentication had not been fully deployed before it acquired Starwood. Marriott’s investigation found that some administrative accounts and systems with access to the CDE did not have multi-factor authentication applied. Marriott’s investigation found that the attacker accessed the Database in the CDE by leveraging these administrative accounts, i.e. accounts in certain administrator groups that did not have multi-factor authentication enabled. This is concerning as administrative accounts should have strict access controls, as they are often targeted by hackers due to their broader access to information and system permissions.^{Footnote 8}

Anti-virus software

32. One key safeguard to defend against malware and viruses is to install anti-virus software and ensure that this software is current by performing regular updates.^{Footnote 9}
33. Marriott submitted that its anti-virus manufacturer did not have the unique signatures associated with the RATs used by the attacker at the time of the breach. As such, the anti-virus software was not able to detect or remove the RATs sooner. Marriott alleged that the next generation of anti-virus software was not commonly in use at the time of the incident, and that even the current version of PCI DSS guidance (version 3.2.1) does not require the implementation of such anti-virus software. Marriott also submitted that regular anti-virus scans took place every two weeks across the Starwood network prior to the incident. The OPC notes that, even if the latest anti-virus software is not commonly in use or “required”, maintaining an up-to-date anti-virus solution preserves its effectiveness and increases the likelihood that organizations will detect and contain breaches involving malware and viruses sooner. Organizations face different levels of cyber-threats based on a multitude of factors, including the value of personal information held. As a consequence, they must choose the software and safeguards that are aligned to the threats they face.
34. To prevent breaches caused by new malware that are not yet covered by anti-virus software, organizations should implement additional layers of security that also protect against viruses and malware. One additional layer is to implement binary and application whitelisting that quarantines suspicious or unauthorized instances of binaries (also referred to as executable code), thus making them not executable until authorized. Another example of this might be to integrate sandboxing technology that filters email, web browsing traffic and software installations while protecting an operating system from malicious code infections. Notably, although it is unlikely that binary or IP address whitelisting would have prevented this particular attack, the OPC’s review of a forensic report of the breach found that application whitelisting at the file hash level^{Footnote 10} would have caught this attack much sooner, if not disabled it altogether. However, since discovering the breach, Marriott took certain remedial actions commensurate with the above-mentioned security layers.^{Footnote 11}

Logging and monitoring safeguards

Marriott’s safeguards did not detect the attacker’s activities in a timely fashion

35. A key safeguard for protecting against external threats is a Security Incident and Event Management (“SIEM”) system. This kind of system can act as a technological tool for active surveillance by responding to potential threats or suspicious activities by analyzing aggregated logs from several sources (databases, servers, etc.) in real time. In the event of a breach, a robust SIEM should also allow an organization to determine the direct cause. As the nature of attacks are constantly changing and evolving, the configuration and management rules for SIEMs can also be expected to evolve over time. Although Starwood had its own SIEM in place at the time of the incident and Marriott had a SIEM installed since 2007, it did not complete the SIEM’s application to the Starwood network until March 31, 2018. Marriott took the position that due to the size and scale of Starwood, it needed a longer timeframe. Marriott advised that it took an ‘appropriate, risk-balanced, and prudent approach’ to the security of the Starwood systems until it completed the migration into Marriott’s systems. The OPC understands that, depending on the size and complexity of a network, it may take a number of months to complete a SIEM’s implementation. However, even early in its adoption, a SIEM should be able to record and receive data about potential threats at minimum.
36. At the time of the breach, Marriott also had a Security Operations Centre (“SOC”) in place to monitor the Starwood network logs for threats. These network logs came from various Starwood systems. Prior to Marriott’s acquisition of the Starwood network, the SOC was being managed by a third-party service provider. Marriott advised that it believed the monitoring and logging in place for the CDE to be appropriate based on independent security assessments. However, during Marriott’s integration of Starwood’s systems, Marriott identified that certain network logs had stopped flowing to its third-party service provider and to remedy this, Marriott replaced that service provider in March 2018.
37. Marriott’s SIEM and SOC systems did not issue any alerts related to the breach prior to September 2018. In particular, these systems did not alert Marriott to the attacker’s installation of malware in 2014, or the steps that the attacker took to remove data from the Starwood database in 2015. Based on the available information, this is because: (i) Marriott’s SIEM was not being applied to the Starwood network until March 31, 2018; and (ii) the logs that would have identified these earlier activities were not being sent to the SOC.
38. The IBM Guardium database security tool (“Guardium”) had been in use on the Database since at least 2008. Marriott indicated that it was reasonable for Marriott to rely on Guardium as, at the time of the incident, Guardium was an above industry-standard tool for organizations not operating in the financial services industry. Guardium has two security functions:
    1. to log database activities, such as efforts to create, read, update, or delete data within a database; and
    2. generate alerts when certain defined conditions are satisfied or when specific activities occur within a database.
39. Even though Guardium had been in use on the Starwood database since before the attacker’s initial activities in 2014, their activities did not trigger a Guardium alert until September 7, 2018, which prompted Marriott’s breach investigation. The Guardium alert was only triggered by a user querying a specific Starwood database table (the “Guest_Master_Profile” table) that had been categorized as sensitive as it contained encrypted payment card data. Marriott also explained that the September 2018 Guardium alert was prompted by:
    1. the specific query run by the attacker (i.e. the command to “count” the rows in the database table);
    2. the inclusion of the database table’s name, “Guest_Master_Profile”, in the attacker’s query; and
    3. the alert being set up specifically for the “Guest_Master_Profile” table because it contained encrypted payment card numbers.
40. This delayed identification of the attacker’s activities demonstrates that the monitoring systems were not sufficient to detect the attacker’s activities in a timely fashion; nor were they sufficient to detect and obstruct the attacker’s related activities on September 10, 2018, after they were alerted to the breach on September 8, 2018. Marriott takes the position that it was reasonable for it to consider that the Guardium alerts in respect of the Starwood CDE were appropriately configured. This is because Guardium’s configuration had been assessed as part of Starwood’s PCI DSS testing by two different independent security assessors on three separate occasions – by one assessor both in 2015 and in 2016, and by another assessor in 2017.

Marriott’s logs did not monitor or audit privileged or administrator accounts

41. Adequate logs and monitoring are crucial for an organization’s capacity to detect unauthorized activities in a timely fashion, investigate incidents, and improve safeguards by learning from gaps identified in its logs. Given that the attacker’s activities commenced on the Starwood network in July 2014, it is concerning that the above monitoring safeguards did not alert Starwood (or later, Marriott) to the breach until September 2018. Marriott was also unable to definitively determine the attacker’s activities based on its available logs. In particular, we note that Marriott’s logs did not provide sufficient evidence to:
    1. determine the web server condition that enabled the web shell installation; or
    2. identify exactly what commands the attacker ran on the Database throughout the four-year span of the incident.
    Marriott took the position that the additional monitoring or logging would not necessarily have resulted in the attack being detected, as the attacker was not operating from a suspicious IP address. However, the OPC notes that logging involves looking at other IT factors such as network traffic and network flow, not just IP addresses.
42. Alongside monitoring logs to detect unauthorized activities, it is also important that organizations have proactive measures in place to monitor and/or audit user accounts, including privileged or administrator accounts. This is especially important for detecting breaches that have already taken place or commenced. In this breach, where the attacker exploited database administrator accounts to access personal information without authorization, logging and monitoring of such privileged accounts would have improved Marriott’s ability to detect the breach sooner. This important layer of security would also have given additional protection, to complement any other safeguard gaps (e.g. access controls).

Marriott was not archiving its firewall logs for at least twelve months

43. Marriott’s investigation also identified that it was not archiving all firewall event logs for a minimum of twelve months, which is required under the PCI DSS. This also ensures that a log is recorded for any firewall event related to malware activities. The OPC acknowledges that Marriott indicated that the network was assessed annually by a third-party qualified security assessor for PCI DSS purposes, including in Summer 2016 and Summer 2017 when that assessor issued a report on compliance that resulted in an overall ‘compliant’ rating, indicating that Starwood had demonstrated full compliance with the PCI DSS framework.

Remote access restrictions and monitoring

44. Finally, Starwood administrator accounts legitimately accessed applications, systems, and data within the CDE via Citrix applications for remote access. However, the attacker also leveraged these Citrix applications in the breach. During Marriott’s investigation, a third-party forensic firm recommended that Marriott consider further restricting remote access by leveraging the intrusion detection and prevention system rules that monitor remote access activity from unusual sources. In relation to logging within the CDE, the forensic firm also recommended that Marriott adjust its logging configuration to ensure that remote access to resources are logged and monitored.

Information storage

Encryption

45. Encryption is yet another layer of security that can help safeguard personal information if that information is subject to unauthorized access. Importantly, the OPC expects that sensitive personal information is protected by additional safeguards, including encryption. As noted earlier, this breach involved passport numbers and encrypted payment card numbers of Canadians. These details are considered to hold a higher level of sensitivity, and even moreso if combined with other personal information, such as the kinds involved in this incident.
46. In relation to payment card numbers, Marriott confirmed that it uses Advanced Encryption Standard, AES-128. This encryption is applied where payment card numbers were entered into the designated payment card field, which is required by Marriott’s policy. However, Marriott’s investigation also identified a limited number of payment card numbers that were entered into data fields that were not designed to store payment card details and as such, these payment card numbers were not encrypted. This meant that the attacker may have had access to a number (i.e., approximately 260) of unencrypted payment card numbers. Marriott advised the OPC of their position that this unencrypted payment card data was not in a location that an attacker would be expected to have known or to have accessed, and there was no evidence that such data was, in fact, accessed.
47. In relation to passport numbers, the Database contained separate fields that stored passport numbers in an encrypted form and an unencrypted form (i.e. plain-text form). The OPC asked Marriott to explain why this information was inconsistently encrypted. In its response, Marriott advised that it had been unable to determine the rationale for this aspect of the design of the legacy Starwood system due to the departure of Starwood personnel.
48. The failure to apply encryption or commensurate compensating controls, across all sensitive personal information fields consistently, where it is feasible to do so, represents a weakness in safeguards.

Timely information deletion practices and information retention periods

49. The OPC expects that organizations delete or anonymize personal information in a timely manner (after it no longer is required for the purposes for which it was collected) as a safeguard measure consistent with the requirements set out in PIPEDA (in particular Principle 4.5). In the event of a breach of security safeguards, the timely deletion or anonymization of personal information can reduce the scale or impact of that breach.^{Footnote 12}
50. As indicated earlier, this breach affected a large population of individuals as it involved approximately 339 million records worldwide. Further, Marriott could not rule out the possibility that the oldest affected records in this breach were created in 2002. This highlighted that the breached personal information may have included records that were 16 years old by the time Marriott detected the breach.
51. In response to questions about its information retention policy, Marriott advised that the Starwood retention period for Canadian information in the Database was 10 years from the date the record was created. The OPC did not consider the merit of this claim for each discrete class of records that Marriott retained. Marriott’s reasons for the length of this retention period is examined later in this report.
52. In combination with other active security safeguards, compliance with deletion policies are important for reducing the scale or impact of a breach of security safeguards. In this case, Marriott’s retention of older guest records contributed to the volume of personal information impacted by this breach.

Findings

53. For the reasons described above, we are of the view that Marriott’s security safeguards were inadequate in protecting personal information, particularly with respect to:
    1. Access controls
    2. Anti-virus software
    3. Logging and monitoring
    4. Information storage
54. We find that the above deficiencies represent failures to implement appropriate security safeguards given the volume and sensitivity of personal information held by Marriott. Accordingly, Marriott is in contravention of Principle 4.7 of the Act.

Issue 2: Accountability

55. The breach involved unauthorized access pre-dating Marriott’s acquisition of Starwood in 2016. Upon acquiring Starwood in 2016, Marriott received control and responsibility of the Starwood network. Relevantly, we considered Principle 4.1.4, which requires organizations to implement policies and practices to give effect to the PIPEDA principles. In particular, the requirement to implement procedures to protect personal information [Principle 4.1.4(a)].
56. When acquiring new systems and databases that handle personal information, the acquiring organizations should take action to identify whether there are any security requirements for their acquisitions. This should be performed, where practicable, before the organization receives control of the information system or database, and certainly before using and integrating the data into existing systems. These actions should include various forms of testing, such as a network testing and an audit against recognized industry standards, a security assessment, or a threat risk analysis. The performance of such testing is important because if done properly, it can ensure the early identification of compromised assets and the measures that an organization needs to take (e.g. system improvements, updates, the implementation of new safeguards or processes, or malware removal) to resolve any areas of compromise or ensure newly acquired systems are adequately protected.
57. In relation to what due diligence it performed during its acquisition of Starwood, Marriott advised that it conducted fact-finding and analysis of the Starwood network. This included a series of meetings with Starwood IT employees, reliance on Starwood’s IT vendors, and independent third-party assessments of Starwood’s systems as part of Payment Card Industry Data Security Standard (“PCI DSS”) tests. Marriott indicated that there were a number of reliable indicators of appropriate IT security compliance relating to Starwood on or around the time of Marriott’s acquisition, including Starwood’s layered IT security measures, confirmations by legacy Starwood employees of security measures implemented in the Starwood systems, an independent third party assessor having confirmed its compliance with PCI DSS in April 2016, public statements made by Starwood in relation to the unrelated 2014/2015 Starwood payment card incident, and Starwood’s engagement of highly reputable third parties, such as Accenture, to provide products and services in relation to its security environment. Initially, these efforts were focused on determining which IT systems (i.e. Marriott’s or Starwood’s) would be used after Marriott’s acquisition of Starwood. Following its fact-finding and analysis, and after deciding to migrate the Starwood environment to Marriott’s systems over an approximately two year period (i.e. by 2018), an integration plan was implemented to:
    1. phase out Starwood’s systems;
    2. retain existing Starwood systems while bringing these in line with Marriott’s own standards and protocols; and
    3. engage external consultants to report on IT security matters in relation to the Starwood network.
58. As a result of its reviews, Marriott began taking a number of steps to enhance Starwood’s systems before it detected the breach. These steps spanned across various areas and include, but are not limited to, the following:
    1. Security governance and management – Marriott made organizational changes to enhance its accountability and data governance by making personnel changes and formalizing its Privacy and Information Security Governance Board and Privacy and Information Security Oversight Committee. Marriott also implemented an asset tracking tool to assess security risks and facilitate incident response by scanning the network, and assessing anti-virus and patch compliance in the Starwood network.
    2. Segmentation of the Starwood network based on geography, business purpose, and data classification. This included the separation or segmentation of the CDE, which held payment card data.
    3. Threat intelligence and vulnerability management – Monthly vulnerability scans of corporate servers on the Starwood network were run from 2014 to August 2017. This was expanded by Marriott from August 2017 to monthly scans of additional servers on the Starwood network.
    4. Identity and access management – Marriott extended multi-factor authentication to Starwood employees logging into certain human resources and payroll systems. Marriott also removed obsolete Starwood domain administrator accounts and limited third-party service provider access to only those who needed domain access to support Starwood’s environment.
    5. Incident and crisis management – Marriott revised its group incident response plan, which covered Starwood systems. Additionally, Marriott added system alerts on the Starwood network (e.g. identifying system call outs to known bad IP addresses). Marriott also completed a technical cyber table-top exercise, which simulated an incident occurring on the Starwood environment, with its third-party service providers that monitor system alerts.
59. Based on the above, it is evident that Marriott took a number of steps to improve the security of the Starwood network prior to its integration. However, even after taking these steps, certain gaps remained in Starwood’s safeguards (as examined under Issue 1: Safeguards) that highlight the importance of continually assessing your safeguard infrastructure against current and emerging threats.

Ongoing assessment and revision of a privacy framework, including security safeguards

60. In order to properly protect privacy and meet legal obligations, organizations must monitor, assess and revise their privacy framework periodically to ensure it remains relevant and effective. This practice extends to security safeguards, including testing and monitoring activities.^{Footnote 13} Evaluating security safeguards periodically is critical. It is not sufficient for an organization to have the right tools in place – the tools must be implemented properly, their warnings must be heeded, and they should be under continuous assessment with regular reviews and updates (e.g. for corrections and/or maintenance).
61. As noted earlier in this report, completing a network audit against recognized industry standards is one measure an organization can use to demonstrate its due diligence. Relevant to this breach, Marriott relied on Reports on Compliance (“ROCs”) from two different independent security assessors in 2015, 2016 and 2017, regarding Starwood’s compliance with the PCI DSS. Additionally, Marriott confirmed that penetration testing and vulnerability testing was regularly conducted on the Starwood network between 2014 and 2018 (i.e. before and after Marriott’s acquisition of Starwood’s systems).
62. These kinds of tests are important layers of security as they can identify gaps in an organization’s network perimeter that may be exploited by an attacker in future. However, these testing measures do not detect unauthorized activities being conducted by an attacker that has already penetrated the system or network. As such, logging and monitoring measures should be evaluated on an ongoing basis to ensure that they remain current and can effectively identify a range of unauthorized or suspicious activities, including instances where an attacker has already penetrated the system or network.
63. While the PCI DSS is an industry recognized standard, it is noteworthy that PCI DSS compliance is focused on cardholder data, even though in this case the ROCs covered the entire CDE containing both payment card and non-payment card data. This should not deter organizations from complying with the PCI DSS, particularly if they have certain requirements to do so. However, we expect organizations to also consider how they assess their compliance with handling personal information that is not cardholder data. For some organizations, particularly those with sensitive and extensive personal information holdings, it may be appropriate to conduct an additional assessment with another industry recognized standard (e.g. ISO or NIST). This kind of comprehensive assessment can ensure organizations are capable of identifying and remedying security gaps across all of their personal information holdings. To this point, Marriott also indicated that it invested in specific improvements to the security (including to the SIEM and SOC) of the Starwood systems that were due to be decommissioned.
64. In this case, this could have been applied to considering whether Guardium alerts were appropriately configured to log and detect suspicious activities involving payment cardholder information and non-cardholder data. Marriott took the position that, given the sophistication of the unknown attacker and the unknown method the attacker used to gain access to the Starwood network, there is no assurance that any configuration of the alerts (as contemplated in this paragraph) would have made a difference.
65. Finally, as mentioned earlier in this report, Marriott did not discover that multi-factor authentication had not been fully deployed on all accounts (including certain administrator accounts) until after it detected the breach in September 2018. This is an example where continuous review or evaluation of Marriott’s safeguards and monitoring would have likely identified this deficiency sooner, allowing it to then be rectified. This could have obstructed the attacker’s further activities on the Starwood network and reduced the scale and impact of the breach.

Findings

66. When Marriott acquired Starwood in 2016, it became accountable for implementing policies and practices to give effect to the PIPEDA principles, including protecting personal information. Although its post-acquisition assessment involved reviewing Starwood’s systems and making certain enhancements, due to weaknesses in performing ongoing assessments of security safeguards, we find that Marriott has contravened Principle 4.1.4.

Issue 3: Information retention

67. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall also be retained only as long as necessary for the fulfilment of those purposes.
68. As noted earlier in this report, Marriott advised that the retention period for Canadian information in the Database was 10 years from the date the record was created. Marriott further explained that the Database was a Starwood system and its data was subject to Starwood’s data retention policy. Retention periods described in Starwood’s retention policy varied depending on various factors including the jurisdiction, the category of records based on the relevant business requirements, and Starwood’s legal requirements.
69. Marriott submits that the above mentioned 10 year retention period is based on its requirements under the Alberta Corporate Tax Act (under sections 61-63) and the Alberta Limitations Act (under section 11). These legal requirements are with respect to ‘Records and books of account’ and ‘Judgement for payment of money’.
70. Different organizations will have varying business and legislative purposes for collecting, using and retaining personal information. The OPC understands that there is no “one size fits all” retention period. However, the OPC expects organizations to consider the following factors when assessing an appropriate retention period:^{Footnote 14}
    1. The purpose for having collected the personal information in the first place.
    2. If personal information was used to make a decision about an individual, it should be retained for the legally required period of time thereafter, or a reasonable amount of time to allow the individual to access that information in order to understand, and possibly challenge, the basis for the decision.
    3. If retaining personal information any longer would result in a prejudice for the concerned individual, or increase the risk and exposure of potential data breaches, the organization should consider safely disposing of it.
71. Although Marriott’s response has referred to legal requirements that indicate a minimum retention period, we understand that this applies only to certain personal information that could exclude specific guest reservation details (e.g. passport numbers, guest details that are not associated with Alberta). Further, as confirmed by Marriott, certain information that was subject to the breach was retained from as far back as 2002 (i.e. for longer than 10 years) and may have related to individuals whose country-of-residence information was listed as Canada.

Findings

72. Based on above information, we find that Marriott retained certain personal information on Canadian individuals for a period longer than was necessary for the fulfilment of the legal purposes it cited. Accordingly, we are of the view that this represents a contravention of Principle 4.5.

Issue 4: Notification to Affected Individuals and Mitigation Measures

Notification to Affected Individuals

73. Where Marriott had a valid email address for Canadians affected by the breach, Marriott notified these individuals directly via email. Marriott confirmed that it began sending direct email notifications on November 30, 2018, and completed this on December 15, 2018. Marriott notified the remaining affected individuals indirectly via the following steps:
    1. On November 30, 2018, Marriott issued a press release and launched a dedicated website with information about the breach and suggestions for how potentially affected individuals could protect themselves.
    2. Marriott placed a link to its dedicated incident website on the Marriott and Starwood property homepages, as well as on Marriott and Starwood’s mobile applications.
    3. On January 4, 2019, Marriott issued an updated press release with additional information for potentially affected individuals.
74. The breach also received widespread media coverage, in mainstream media across Canada and globally. Given that Marriott took action to notify affected individuals directly and indirectly, we are satisfied that Marriott’s indirect notification was adequate in reaching affected individuals.

Mitigation measures

75. In addition to describing the details of the breach, Marriott’s above notifications offered affected Canadians one year of free web monitoring through WebWatcher, which monitors internet sites where personal information is shared (e.g. the dark web, hacker forums) and generates an alert to the individual if evidence of their personal information is found. Additionally, Marriott established a dedicated call centre with toll free numbers for affected individuals, and implemented a process to enable affected guests to verify whether their passport number was involved in the breach. While Marriott indicated that no affected individual had actually demonstrated that their passports were used fraudulently, Marriott confirmed that it also had a claims process for individuals who demonstrated that their passport number had been affected and used fraudulently, allowing those individuals to be reimbursed for the cost of replacing their passport. Further, Marriott added staff and resources, and refined its online information access request portal for individuals, to support communications that it was receiving from individuals affected by the breach.
76. Finally, Marriott notified its credit card and payment card networks (e.g. VISA, Mastercard, American Express) of the incident on November 29, 2018, and provided them with the affected card numbers that were relevant to their network on December 6, 2018.
77. Following a breach of security safeguards, it is important that organizations take appropriate mitigation measures to prevent the future unauthorized use of the compromised personal information.^{Footnote 15}
78. As noted earlier in this report, Marriott indicated that there is no substantiated claim of financial loss or other evidence of phishing or other misuse arising from personal information potentially accessed in this incident. While not all data elements were present for any particular record, the combination of the compromised personal information in this breach^{Footnote 16} introduce a real risk of harm through identity theft or phishing attacks that could lead to fraudulent activities for records in which numerous data elements were present. Based on the OPC’s experience, these harms can be mitigated by credit monitoring services, which can alert affected individuals to fraudulent credit applications, prompting those individuals to contact the appropriate financial institutions and prevent identity theft. Although credit monitoring may be provided in conjunction with other monitoring services, it remains an important mitigation measure as it can alert individuals to fraud even if their personal information has been removed from an online forum.
79. While we agree that Marriott has taken positive steps (as noted in paragraph 75 above) that will help prevent further misuse of the information involved in the breach, the free web monitoring offered through WebWatcher was only effective for one year. As above, Marriott has indicated that there has been no substantiated claim of financial loss or other evidence of phishing or other misuse arising from this incident, which was publicly disclosed on November 30, 2018. The OPC would typically expect an organization to offer protections (such as web monitoring or credit monitoring) for an extended period. This would be to prevent harm (e.g. identity theft or fraud) that may occur, should a malicious actor with access to the compromised information wait (e.g. until after the monitoring period) to misuse that information. However, in the circumstances described above, one year of web monitoring seems minimally sufficient, given that Marriott took additional measures, including the implementation of a claims process for passport replacement costs and the notification of credit card and payment card networks of the affected card numbers.

Marriott’s remediation of the breach

80. Following its discovery of the breach, Marriott blocked and removed all malware and associated tools that were installed by the attacker. This included the web shell, RATs, credential harvesting program (Mimikatz), and VPN.
81. Marriott confirmed that the Database is no longer being used to conduct business operations, and reservations are now operating through the Marriott system. This was effective from December 11, 2018, when Marriott completed its migration of all data to Marriott’s systems and decommissioned the Database.
82. Further, since it detected the breach in September 2018, Marriott advised that after the breach it has undertaken a range of containment and remediation activities to enhance its security safeguards. These activities spanned across a range of different areas, including but not limited to those listed below. Notably, changes made by Marriott correspond with the safeguard weaknesses relevant to the breach.
    1. Network changes
    2. Access controls
    3. Logging and monitoring measures
    4. Information storage – including encryption and data minimization
    5. Vulnerability testing and assessment
    6. Organizational and governance measures

Conclusion and recommendations

83. Based on the issues that we have examined as outlined in this report, we find certain allegations in the complaints to be well-founded and conditionally resolved with respect to:
    1. Marriott’s security safeguards – access controls, anti-virus software, logging and monitoring, Information storage (Principle 4.7 of the Act);
    2. Marriott’s performance of ongoing assessments of security safeguards (Principle 4.1.4 of the Act); and
    3. Marriott’s retention of personal information about Canadians for a period longer than necessary for the fulfilment of the legal purposes it cited (Principle 4.5 of the Act).
84. With respect to the issue of notification to affected individuals, our investigation found Marriott’s direct and indirect notification measures to be adequate, and note the positive mitigation measures offered to affected customers.
85. The occurrence of this breach highlights the importance of accountability and security safeguard measures that organizations should apply, particularly with respect to information systems and databases that they are acquiring or taking control over. In particular, it is vital that organizations perform various forms of testing when acquiring new systems, to ensure that they can identify and (where needed) enhance security safeguards. The circumstances of this breach also illustrate the importance of ensuring the complete and comprehensive implementation of access controls and logging and monitoring activities, to the extent possible.
86. Marriott’s confirmation that the Starwood Database was decommissioned in December 2018 and that reservations are now operating through Marriott’s systems provides some assurance that deficiencies associated with the Starwood Database were addressed. We also acknowledge that Marriott has sought to apply lessons it learned from this breach by implementing a range of enhancements, as described earlier in this report. However, we have outstanding concerns regarding:
    1. Starwood’s measures to restrict and monitor remote access (see paragraph 44)
    2. Starwood’s storage of certain payment card data and passport data in an unencrypted format, and personal information that had been collected in 2002 (see paragraphs 45-52)
    3. The period for which Starwood retained personal information relating to Canadians, at least within Starwood’s systems (see paragraphs 68-71)
    4. Marriott’s ongoing assessment and revision of its security safeguards (see paragraphs 60-65)
87. In consideration of the remedial processes and procedures put in place subsequent to the breach, we are of the view that if properly and faithfully implemented, these processes and procedures will address the above security safeguard concerns (see paragraph 86). We also consider it is important that Marriott ensure these remedial processes and procedures are addressed in all of its current systems that handle personal information, even for those systems that were not involved in the incident. Given the paramount nature of proper and consistent implementation and adherence, we recommended the following towards facilitating compliance and accountability:
    1. Marriott retain an experienced and accredited independent external assessor to evaluate the enhancements it has undertaken to prevent a similar privacy breach from re-occurring on its systems. At the conclusion of this review, Marriott submit a report of this assessment to the OPC within nine (9) months of the date of our final report of findings. This report should include the assessor’s findings regarding Marriott’s:
       1. Access controls – including Marriott’s implementation of enhanced mandatory multi-factor authentication and IP whitelisting for systems containing personal information, appropriate to the sensitivity of that personal information;
       2. Anti-virus software and endpoint threat detection tools – including how effective Marriott’s endpoint threat detection tools are, with respect to detecting and addressing vulnerabilities in real-time;
       3. Logging and monitoring measures – to ensure that these activities are comprehensive and timely such that Marriott can enhance its ability to detect suspicious activities and network intrusions without delay, Marriott can more effectively monitor privileged or administrator accounts, firewall event logs are archived for a minimum of 12 months or as required under the PCI DSS, and remote access is monitored and restricted appropriately; and
       4. Information storage – including Marriott’s performance of regular scans for any inadvertently stored personal information (e.g. sensitive information, aged data, information stored against Marriott’s policies) and where appropriate, applying additional protections or deleting that data. In that regard, Marriott‘s data retention and destruction process should incorporate privacy sensitive measures (as described in paragraph 70 of this report) and minimum (where appropriate) and maximum information retention periods.
    2. In relation to the above assessment report mentioned above at paragraph 87(a), Marriott should detail and explain its decision to accept or reject the assessor’s recommendations, including a schedule for implementing the recommendations if they are accepted.
    3. Marriott should review their organizational and governance measures to ensure the ongoing assessment and regular review of their privacy framework, information security program, information security controls, incident response capabilities, and due diligence process for acquired assets.
    4. At the conclusion of the review mentioned above at paragraph 87(c), Marriott submit a report of this review to the OPC within nine (9) months of the date of our final report of findings. This report should detail Marriott’s findings, and include an explanation and schedule for how and when Marriott plans to address these findings.
88. Finally, we note the attacker’s use of a credential harvesting tool in this breach. Although credential harvesting and credential stuffing are different threat vectors, to further enhance Marriott’s security safeguard posture we encourage them to review the recently released Credential Stuffing Guidelines produced by the Global Privacy Assembly’s International Enforcement Cooperation Working Group. These guidelines identify the threat of credential stuffing to personal data and recognised measures that organisations can use to mitigate risks to the compromise of personal data through this attack vector.