domeet webmaster

1.Event Review

On March 31, according to a CNET report, Marriott Hotel announced on Tuesday that the company had a data breach and that personal information of nearly 5.2 million guests was leaked.

The hotel group said the leaked personal information could include name, address, email, phone number and birthday, as well as details of loyal user accounts, such as room preferences.

It is reported that Marriott noted that at the end of February, a large number of tenants’ information was accessed at the franchise using the login credentials of two employees.

Marriott claims that the data breach was under investigation, but did not believe that the guest’s credit card number, passport information, or driver’s license number had been leaked. At present, the company has sent notification emails to affected tenants and provided them with free personal information monitoring for one year.

For this well-known hotel group, in less than two years, this is its second major security incident.

2. Last time it was worse: claiming $ 12.5 billion and fined $ 124 million

November 2018, MarriottAnnouncing that a customer reservation database of Starwood Hotel’s (Starwood Hotel) has been hacked, and there may be as many as 500 million detailed reservations for Starwood Hotel guests. Personal information was leaked.

It is reported that the hacking began as early as 2014, but the company did not receive the alert for the first time until September 2018. Of the 500 million person-times leaked this time, about 327 million people leaked information including names, mailing addresses, phone numbers, email addresses, passport numbers, SPG account information, date of birth, gender, arrival and departure information, and reservation dates And communication preferences.

More seriously, for some guests, the leaked information also includes the payment card number and the validity period of the payment card. Although they are encrypted, the possibility that the third party already has the key cannot be ruled out.

After a period of investigation, Marriott has revised the number of customers experiencing information leakage to 383 million.

Aiming at this incident, an analysis article by Alibaba Security pointed out that there are generally three major reasons for data leaks in hotel groups:

The first is the theft of data by unauthorized third-party organizations;

Second, the privileged account was disclosed to GitHub, which led to the leak. The developer uploaded the code containing the database account and password to GitHub, which was scanned by the hacker and dragged the library later.

The third reason is that the POS machine was infected with malware, and the payment card information was stolen because the POS machine was implanted with a malicious program.

With this data breach, Marriott Hotels has not only attracted lawsuits, but has also been heavily punished by government regulators. In the lawsuit, lawyers Ben Messerlas of the United States Geragos & Geragos Law Firm and Michael Fuller, legal counsel of Underdog Law, filed a class action lawsuit against Marriott for two plaintiffs David Johnson and Chris Harris, claiming $ 12.5 billion. US dollars.

In terms of fines, the UK data privacy regulator announced that Marriott Hotel Group will be close to £ 99 million due to a data breach in 2014. (about $ 124 million) ) . Because it violates EU GDPR (General Data Protection Regulations) regulations.

There is a clear stipulation in the GDPR that all agencies must be held accountable for the personal data they hold, including the need for appropriate due diligence when cooperating or transacting, and taking appropriate measures to assess the personal data that they have obtained and how to protect These data. Personal data has real value, so agencies have a legal responsibility to keep it safe, just as they would any other asset.

3. Security Reflections

In recent years, with the increasing value of personal data and frequent data leaks, some “depressions” of user data have become the main targets of hacking, such as hotels. In fact, in addition to the Marriott Hotel, hotel groups such as InterContinental, Hilton, Hyatt, Mandarin Oriental and Huazhu have experienced user data breaches.

• 2014 and 2015: Hilton Hotels, leaked information involving more than 360,000 payment card data;

  
  

• April 2017: IHG, the data breach involved more than 1,000 hotels worldwide;

  
  

• October 2017: Hyatt Hotel Group, the leaked data involves 41 Hyatt hotels worldwide;

  
  

• August 2018: Huazhu Hotel Group leaked 500 million pieces of data and was sold on the dark web;

  
  

• October 2018: Radisson Hotel, the specific amount of leaked data has not been announced.
  

  These large hotel groups are generally widely distributed, with global chains and a large number of users, including many business people. In recent years, hotels have become one of the key targets of hacking. Once the user data is successfully stolen, the hacker can hang the data on the dark web for sale.

  According to the author’s statistics, only two hotel data breaches occurred in January 2020, respectively: Landry, an American restaurant and hotel company, suffered unauthorized access to leak customer card data, and Japanese love hotel search engine HapA data breach occurred at pyHotel.

  The frequent occurrence of data breaches in the hotel industry not only affects the hotel’s brand reputation, but also seriously endangers the personal information security of users.

  4. How to protect user privacy?

  Whether it is a hotel or other business, protecting user privacy is a top priority.

  How to protect user privacy? Hotels can start with anti-lost, anti-abuse, anti-tamper and anti-leak.

  • The first is to strictly control the code, telling all developers that any development code is not allowed to be uploaded to third-party platforms, and the uploaded code is immediately deleted;

    
    

  • The second is full-service penetration testing, which starts a full-service penetration test and plugs possible vulnerabilities that threaten data security;

    
    

  • The third is to sort out permissions, and to sort out sensitive data, access personnel and permissions of business systems as soon as possible;

    
    

  • Fourth is data encryption, which sorts and sorts out the sensitive data that is sorted out, determines which fields must be encrypted, and utilizes third-party transparent encryption systems and cloud encryption services / key management services to gradually complete the system transformation.
    

    If database security is involved, companies should regularly conduct risk assessments of the database. Companies that use risk assessment tools to monitor their databases in near real time will find it all more clearly when encrypted data leaves the database.

    The practical operation of database security, we recommend:

    • Replace port: Although not using the default port can not prevent hackers from invading, it can relatively increase the difficulty of intrusion;
      

      
      

    • Public network shielding: Only listen to requests from internal network ports to block public network ports, and continue to increase the access of hackers through this strategy.Difficulty of invasion;

      
      

    • Starting with a normal user: It is recommended that all db maintained by you should be started with a non-root user who is not allowed to log in;

      
      

    • Enable verification: Although this is a complicated and painful step, it is a wise choice;

      
      

    • Permission control: It is recommended that you set a permission control and allocation scheme suitable for the corresponding business for the database you maintain;

      
      

    • Backup strategy: a set of reliable local backup logic + remote backup storage solution can solve the scenarios of being hacked, accidentally deleted, computer room leaking, server reimbursement, and even the computer room bombed by nuclear bombs;

      
      

    • Recovery strategy: It is very necessary to establish a recovery strategy that can cover most disaster scenarios to avoid clutter;
      

      
      

    • Encrypted storage of sensitive data: We recommend that you encrypt any sensitive information before entering the warehouse, such as passwords, emails, addresses, etc.
      
      

      This article is from WeChat public account: InfoQ (ID: infoqchina) , author: Vanguard.