Attivo Networks Blogs

Marriott Breach Exposes More than Just Customer Info

SC media logo

Marriott’s massive data breach exposed more than just 500 million customer records, it is also shining a light on the role cybersecurity needs to play when a firm is in acquisition mode, along with the damage that even one slip up by an employee can have on the entire company.

Marriott has not disclosed exactly how cybercriminals managed to enter the Starwood reservation system compromising 500 million records, but the early action on the breach is leaning toward the malicious actors obtaining employee credentials in some manner and gaining access to the system. And since their presence was in place two years before Marriott’s purchase of Starwood Hotels there was an obvious omission by Marriott during its vetting process of Starwood and its computer network.

The general consensus is the breach did not involve a hack using malware, but a few other possibilities have been broached. Ben Johnson, co-founder and CTO of Obsidian Security, thinks the attacker originally gained entry through an employee error.

“Often threat actors obtain employee-level access and ‘live off the land’, using built-in tools and IT systems to traverse the environment. Furthermore, due to a lot of the reporting being around encrypted data, it’s highly possible that it was a database backup system that was compromised, as the backup systems often have lower security scrutiny than production,” he told SC Media.

Phishing has also popped up as one possible path of attack.

“At this point, we can only speculate, but if I had to guess, phishing would be at the top of the list. My second guess would be a third-party vendor compromise – possibly via phishing or other poor security practices like an unpatched vulnerability – that gave them a foothold within the Starwood enterprise,” said David Pearson, principal threat researcher at Awake Security.


Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

4 × two =

Ready to find out what’s lurking in your network?

Scroll to Top