Thoughts on the SPG Reservation System Leak
When last week’s news about the SPG reservations system hack broke, I immediately wanted to write something beyond what we originally posted about it since I am in the IT field. However, since I’m not savvy enough when it comes to security, I reached out to my friend Bruce, who has a more in-depth understanding on the topic. Here are some of his thoughts:
Last week’s announcement by Marriott about the SPG reservation data breach is yet another instance of large company losing troves of customer data and then saying “sorry” in hopes that we will forget about it. While this was SPG’s (now defunct) reservation system, hopefully others in the industry have already beefed up their practices.
Some major things worth noting:
CC data was encrypted, but encryption key may have been exposed
Companies should be using dedicated servers that hide the most secret keys in a secure manner. These servers are called Hardware Security Modules, or HSMs. Decryption of a piece of a data is done on the HSM itself, meaning the keys to the kingdom are hidden from the world. Internal systems can then use some sort of internal identifier to locate the encrypted CC information, meaning a leaked internal identifier gets criminals nothing.
This does not seem to be the case in this leak since it’s being reported that that data did become leaked. It’s the equivalent of using a really complicated password for your online banking but writing it down on a post it note under your keyboard…
Passport numbers and other identifying information were co-mingled and in cleartext
Passport numbers, while in and of themselves are not dangerous if exposed, are globally-identifiable information for a person. This and other personally-identifiable information (PII) is sensitive enough to have stored in clear text next to your reservation records as it makes it really easy to associate the person with their passport number. While there’s no direct harm (as a reminder: the US Embassy has stated there’s no risk of the passport number being leaked), this is a breach of customer trust and puts some people at risk since all of their stays at SPG hotels can quickly be traced back to them.
If you’re going to store personally-identifiable information, store it in a separate system apart from your reservation database and swap in an internal identifier that allows you to fetch that information at an as-needed basis. While that means you now have a basket full of PII to protect, it’s at least one easy way to guard a basket that should have very few connections to it.
The fact that it doesn’t seem like they implemented this as a best practice tells a lot about how much care they put into safeguarding customers’ information. It’s the equivalent of writing your username AND password on the same post it note under your keyboard…
The breach had been going on since 2014
I don’t know how the data leak worked, but the fact that it took until this year to announce that it had been happening is a damning sign of how internal security is approached, at least when this was SPG-land. Security is hard, but that’s why information security teams exist.
Good security hygiene mandates:
- An understanding of what risk the data contained in a system has and therefore some sort of classification.
- Rotating passwords and other security credentials regularly in case one leaks.
- Internal systems that log who is communicating with it and what they’re asking of it.
- Somebody actually looking at the trends and noting when weird traffic shows up, especially on sensitive databases.
From a network security perspective it’s about auditing your points of entry and exit along with looking for odd behavior from your systems.
Finally, from a software development perspective it requires a close relationship with your information security team to help identify threats you might not have thought about. However that also means that the culture in your company needs to treat security as a core component of the trust that customers place in giving you their data. Nobody wants to be on the front page of the New York Times, but some companies care more about that risk than others and their investment in security (or lack thereof) shows it.
I have previously defended the relatively glitchy, yet successful, merger of SPG-Marriott. I may have to recant my previous opinion, though, that we should trust them to iron out all the kinks in time, considering they keep proving myself wrong every time their IT continues to -in technical terms- F up…