MTTD Four Years
Today, in the cybersecurity community, we understand that it is not if you will be breached, but when you will be breached.
When I heard that Starwood guest reservation database had been breached, I was not surprised. I was not surprised, not because we are accustomed to hearing about our personal information, yet again, being released; but because I had an interesting experience at a hotel, and for months, I continue to come back to an image that has not left my mind, which I share below.
I have highlighted in red and blocked all passwords that were on the screen. At first I laughed to myself, because I remember a time that you would walk into a data center, and admin passwords would be on a sticky note on a screen. As workplaces began to be audited, the sticky note on the screen would be hidden under the keyboard, although this stealthy technique was caught as well, and soon passwords would be moved to a .txt, and found on the desktop as an icon listed as passwords.txt. So, seeing the sticky note with the password, did help me to reminisce.
However, as I further looked at the picture, I was surprised by all the information that the clerk was supposed to ask a guest while checking in, such as phone number, address and rewards number, which I have blacked out as not to identify the hotel chain.
I have thought about writing the hotel management, but the employees have always been so nice, that I fear they would get in trouble. And therein lies one of the problems to cybersecurity; a company wants your personal identifying information and yet the process and controls is broken by posting a password to the guest reservation system on a sticky note.
It is this system, the guest registration system, that was breached and presently is one of the largest breaches to date, behind Yahoo in 2013. The amount of information gathered and released is staggering, but a more alarming fact is the MTTD, mean time to detect, was four years.
Here is what we know thus far about the breach:
-Unauthorized access to the Starwood reservation database that contained guest information
-Bad actors have been inside of the company network since 2014
-Encrypted information from database for exfiltration
-Information that was stolen includes; name, mailing address, phone number, email, passport number, rewards number, account information, birth date, gender, past stay information, communication preference, and credit card on file.
Please see my article from October, the Anatomy of an Attack.
There are lawmakers wanting to create laws that could possibly jail company representatives for not protecting information. While I think this is extreme, we do not get to the root of the problem, and that is, why do companies want so much information on us? Companies have data lakes, that have so much information on who were are, what we buy, what we do, on a day to day basis, yet it is not protected, as we can see from so many data breaches. The truth is that all this data becomes not useful. Too much data for a company to analyze. I actually call data lakes, data swamps.
We need the data swamps cleaned up before we all drown. Business has all the information they need and more than they can safely manage, in order to keep us safely Connected.