Slashdot Mirror

← Back to Stories (view on slashdot.org)

Marriott's Breach Response Is So Bad, Security Experts Are Filling In the Gaps (techcrunch.com)

Posted by BeauHD on from the poor-responses dept.

An anonymous reader quotes a report from TechCrunch: Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all. Marriott sent its notification email from "email-marriott.com," which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate. In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.

Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named "email-mariott.com" on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.

12 of 78 comments (clear)

  1. Re:Blaming the User by Calydor · · Score: 4, Informative

    No IT system will ever be strong enough to defend against a user clicking on a link to go to a webpage and voluntarily entering their credit card info.

    --
    -=This sig has nothing to do with my comment. Move along now=-
  2. mission accomplished by sad_ · · Score: 4, Insightful

    everybody is talking about how bad the email was instead of the breach itself.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
    1. Re:mission accomplished by ShanghaiBill · · Score: 4, Insightful

      everybody is talking about how bad the email was instead of the breach itself.

      Breaches don't matter anymore. I was a victim of the Home Depot, Target, and Equifax breaches. So all my information is already "out there". Most other people are in the same situation. Yet another breach doesn't make any difference. Who cares?

  3. Re: Operational considerations by Anonymous Coward · · Score: 2

    Yes they do. You can piss people off until they're swearing at you, but they'll be back when you have the thing they want at the best price or offer it in a more convenient way than the competition. Your comment is just an example of the typical irrational way customers think. They put fantasies of how things should be before the way things actually are.

  4. Re: Yes, that is... by Doke · · Score: 3, Funny

    Typing a dodgy domain name into your browser is probably safe, if your browser is Lynx...

  5. notification on a different domain by Doke · · Score: 2

    Their data breach notification site is also on a different domain, answers.kroll.com. I know Kroll, but many people would simply see that it's a different domain name, and assume it was a scam.

  6. Internal messaging system is the key by ctilsie242 · · Score: 4, Insightful

    What I've seen banks, even the local power company, is to have an internal messaging system. This way, any E-mails at most will alert you to log in (also warning to manually type in the URL, and not click on a link) and check your messages, with a warning that anything else is likely a phishing attempt.

    Plus, because everything is handled via the internal system, there is more control, which is a help when it comes for GDPR/PCI-DSS/HIPAA/FERPA/whatever compliance, as messages never leave the site.

  7. Wrong tool for the job by apoc.famine · · Score: 3, Insightful

    posted a long tweet thread...

    Huh. It's almost like twitter is one of the worst ways to communicate complicated things. Too bad there aren't any places on the internet where one can post long-form information and have a discussion about it. Guess we'll just have to break everything into 30 different tweets.

    --
    Velociraptor = Distiraptor / Timeraptor
    1. Re:Wrong tool for the job by nwaack · · Score: 3, Insightful

      Twitter is one of the worst ways to communicate, period. It should be destroyed in fire.

  8. CSC registered it is a STRONG clue by mysidia · · Score: 3, Informative

    Just because an advanced user has difficulty vetting the domain doesn't mean there's something wrong with it.

    There's no "official" universally accepted criteria for authenticating a domain belongs to the company whose name is claimed on the domain, and even the use of a basic TLS certificate is not foolproof; However, CSC Being a corporate-only registrar that is used by most of the largest internet brands in the US has a very HIGH PRICE to engage their services, let alone register a domain ----- unless a state actor is involved or an additional major breach of CSC themself; the probability of a phishing domain getting registered through CSC AND also with DNS hosted by CSC seems extremely remote --- particularly when you look at the second positive indicator.


    Registration is mature --- the domain email-marriott.com has been registered for 4 years created in August 2014. That would mean its been dormant or used for purposes not detected as phishing for an extremely long term: generally when a domain name is used for phishing abuse takedown procedures get initiated immediately, and most often the domain is shutdown by its registrar within days.

    COULD the breach notification be faked? Yes, In theory. So just be cautious if you receive an e-mail to not provide personal information after clicking on a link in the message. Close the browser window and visit the company's website. Open a ticket with support if the breach notice implies you need to do something, and you can't find a way to do it on their website --- ultimately a company's call-in support should be able to confirm the message is real or not and assist.

  9. Re:Blaming the User by PhunkySchtuff · · Score: 2

    If they don't have the customer's contact details, then their personal details weren't stolen and they don't need to notify them.

    --
    Specialist Mac support for creative pros, Melbourne
  10. Re:Yes, that is... by thegarbz · · Score: 2

    The whole concept that ANY email from ANY domain is in any way secure

    The idea is not for an email to be secure. It's for it's content to be trustworthy and not easily mistaken for something else. The question is not where does the email come "From:". It's about where it sends users and what it instructs them to do. Going to any domain other than www.marriott.com is an instant red flag which users should be trained to identify as phishing attempts at this point.