Slashdot Mirror
Marriott's Breach Response Is So Bad, Security Experts Are Filling In the Gaps (techcrunch.com)
An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.
Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.
Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.
everybody is talking about how bad the email was instead of the breach itself.
On a long enough timeline, the survival rate for everyone drops to zero.
What I've seen banks, even the local power company, is to have an internal messaging system. This way, any E-mails at most will alert you to log in (also warning to manually type in the URL, and not click on a link) and check your messages, with a warning that anything else is likely a phishing attempt.
Plus, because everything is handled via the internal system, there is more control, which is a help when it comes for GDPR/PCI-DSS/HIPAA/FERPA/whatever compliance, as messages never leave the site.
posted a long tweet thread...
Huh. It's almost like twitter is one of the worst ways to communicate complicated things. Too bad there aren't any places on the internet where one can post long-form information and have a discussion about it. Guess we'll just have to break everything into 30 different tweets.
Velociraptor = Distiraptor / Timeraptor