Marriott’s $123 million mistake: A two-step technical guide to avoiding costly GDPR fines

Marriott’s $123 million mistake: A two-step technical guide to avoiding costly GDPR fines

Rebecca Yarbrough — December 5th, 2019

When GDPR went into effect in May 2018, the regulations were vague and broad. Now, it’s clear that data breaches qualify as GDPR violations and the ICO is aggressively punishing companies that do not protect their users’ personal data.

Marriott, one of the world’s largest hotels, was recently fined $123 million for violating GDPR by allowing their database of consumer data to be breached. Let’s look at what happened to understand what you can do to prevent the same thing from happening to you.

How Did It Happen

First and foremost, the Marriott breach actually happened at a company they acquired - Starwood. In this new era of digital privacy rights, companies have to assume that they will be held liable for any breach of user data, even if it happened years ago and at a different company.

Starwood’s database was compromised, giving attackers over 339 million guest records, including 18.5 million encrypted passport numbers, 5.25 million unencrypted passport numbers, 9.1 million encrypted payment card numbers, and 385,000 payment card numbers valid at the time of the breach.

Exact details about how the attack happened are not being publicly shared, likely because the Chinese government is thought to be behind the attack to collect more sensitive data on U.S. and other citizens for intelligence purposes. Marriott is a large provider of hotel accommodations for U.S. military and government officials, and the passport data would have been particularly valuable.

Based on the available clues, the breach was probably achieved through three factors that your development team has control over: poor password security and lack of post-compromise database protection.

Passwords as the Way In

If stored in plaintext or simply protected with salting and hashing, passwords are typically the weakest link in many systems. It’s possible that is how the hackers initially gained access to a Starwood administrator account and then to the Starwood database. The company has a history of weak password security, like the use of an easily guessable password for Starwood’s ServiceNow cloud computing service, which can provide access businesses’ financial records, IT security controls and bookings information).

Your Encryption is Only as Strong as Your Key Storage

As noted above, the attackers might have been looking for sensitive data that could help them build dossiers on U.S. citizens and other high-profile individuals.

They must have been pleasantly surprised to find that the majority of the passport numbers were saved in plaintext, with no encryption whatsoever.

The credit card numbers were stored in encrypted form, but the encryption keys were stored on the same server, and were also apparently scooped up in the breach. This is one of the most common security mistakes. It’s akin to storing the key to the castle under the front porch mat. Unfortunately, many cloud providers’ encryption protection solutions store the keys in the database, leaving you just as vulnerable as Marriott.

How it Violated GDPR

If you’re entrusted with personal data, you’re responsible for protecting it. "Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public," Denham said.

Under GDPR, what can be considered a data breach? Really, almost anything. It could be an accidental database misconfiguration that temporarily exposes a database’s contents, internal administrative privileges being too broad, a brute force attack by a hacker, etc.

How to Prevent it From Happening to You

In the future, we’ll have a better replacement for passwords, but until then, developers need to use a better alternative to hashing and salting that can actually stand up to brute force and offline attacks.

With Virgil Security’s PureKit, developers can simply transform the stored user passwords so that the database doesn’t have access to the password itself or the mechanism to unlock it. A user types in their password, and a remote crypto server gives approval that the entry will unlock the transformed data, and access is then given to the user. This way, only the user themselves know their password and if database or the crypto server are individually compromised, nothing will be breached. Plus, if the database is compromised, users won’t even need to change their passwords.

Further, enterprises need post-breach protection that exists independently of the database and continues to secure the data even if the database itself is compromised.

Virgil Security’s PureKit is the only developer tool that provides stored data protection without giving the encryption service or the enterprise database access to the encrypted data or encryption keys. Only once a record password (that is itself cryptographically protected with a dual-party system) is correctly entered can the data be decrypted by then calling the third party crypto server.

This achieves true post-compromise protection so that when there is inevitably unauthorized access to a system database, the encrypted data remains protected and inaccessible, even if the whole database is stolen.

Get started with PureKit today to protect your product from GDPR violations, as the IOC has shown that data breaches are a true violation of GDPR and companies will be held accountable for them.

Virgil Security, Inc. enables developers to eliminate passwords & encrypt everything, in hours, without having to become security experts.

We believe privacy is a fundamental human right. With our products, only your customer holds their data, proven with full transparency in everything from cryptographic libraries to services. Earn your customer’s trust by not asking for it.

Get started today at

Virgil Security has been selected as a Big50-2019 Startup
Rebecca Yarbrough — October 10th, 2019
Building End-to-End Encrypted Chat with E3Kit and Stream
Rebecca Yarbrough — December 11th, 2019