This article seems full of points that a lay person might nod along with, yet don't hold up to scrutiny.<p>> The fact is, if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years.<p>It does not mean that. It means that we don't know of any exploited vulnerabilities before that point.<p>> If the detection tool was used prior to this September, why hadn’t the breach been detected earlier? And if the tool was not used earlier, how can they be so sure the breach occurred in 2014?<p>It isn't unthinkable that the new tool alerted them to a problem, and during investigation discovered evidence that the vulnerability had been abused in the past.<p>> It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys.<p>Why? The argument seems to be: the primary encryption key is important, and thus will be most carefully guarded, so it is unthinkable that it would actually be exposed.<p>Ultimately the article strikes me as an article written by someone who has a beef with Marriott, and he ends noting that it's possible that the breach occurred not due to issues with design, but due to the layoffs of Starwood's technical staff.
I'm amongst the most frequent guests at Starwood, spending >100 nights a year in their hotels. I wasn't thrilled when it was announced they'd be acquired by Marriott. This year, they began the switchover process to migrating to Marriott's technology, and the full switch officially happened in mid-August.<p>It was a complete and utter disaster.<p>Everything was buggy, points mysteriously disappeared, reservations disappeared. Inconsistent UI, a mix of old and new systems. A truly awful experience dealing with support agents who were incapable of comprehending what was happening. I'm still waiting for a handful of stays to be credited to my account months later and nobody can help me because the systems are broken.<p>I found myself staying mostly at Hyatt hotels while the dust settled. I'll end the year with another 100 nights with Starwood/Marriott, and 80 with Hyatt. But, given the direction the company has taken since the merger, that number will likely be going down on the Marriott side.<p>After hearing that Marriott laid off the majority of Starwood's technical staff before attempting this migration, I'm not surprised it went this way. I'm also very much inclined to believe that the data breach happened during this migration.
The article he wrote about Marriott's choice to continue using its z/TPF based platform over migrating to Starwood is also telling.<p><a href="https://www.linkedin.com/pulse/marriottstarwood-back-future-technology-decision-israel-del-rio/" rel="nofollow">https://www.linkedin.com/pulse/marriottstarwood-back-future-...</a><p>See this quote "To better understand the resulting Starwood’s technology compared to industry legacy systems, think Tesla Model S versus a gas-guzzling 1975 Buick Electra.<p>Then along came Marriott . . .<p>When Marriott announced its interest in acquiring Starwood, one would have believed that they factored in a $500 million Starwood IP technology value within their $13.6 Billion offer, and that they would have been salivating at the prospect of having their hands on the fruits of the multi-year transformation experience this IP represented. After all, while stable as a rock, Marriott’s own system today centers around 1970’s Mainframe TPF technology (MARSHA) suitably kept current via the judicious use of the scotch-tape and wires represented by a cornucopia of front-end gateways and the labor intense support of inflexible legacy code, eclectic data bases, hard-coded interfaces, and a veritable zoo of different property management systems crying for better integration. "<p>It reads as sour-grapes to me.<p>If you wanna read more about MARSHA - this seems to be a good source: <a href="http://ibmsystemsmag.com/mainframe/casestudies/miscellaneous/marriott_agility/?page=1" rel="nofollow">http://ibmsystemsmag.com/mainframe/casestudies/miscellaneous...</a>
> if [...] the breach began in 2014, the system would already have been operating securely for five years. It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner.<p>I mean, that seems very easy to imagine? Just last year Wannacry exposed an RCE exploit in Windows that has been present since at least Windows XP (<a href="https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010" rel="nofollow">https://docs.microsoft.com/en-us/security-updates/securitybu...</a>). And there are orders of magnitude more people looking for exploits in Windows than Marriott's internal systems. I don't find this article particularly credible.
This guy appears to have no clue what he is talking about, and is painfully ignorant of both security and technology.<p>I realize that’s not a very substantive comment, but wow.<p><i>”The Valhalla system was fully activated in 2009, and my understanding is that all best practices were followed in its design (firewalls, DMZs, encryption, etc.).”</i><p><i>”It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner.”</i><p><i>”It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys.”</i><p>This is just painful to read from someone so senior on their soapbox. It’s probably exactly why they got hacked. Also note that this isn’t the first major starwood breach: <a href="https://www.starwoodhotels.com/html/HTML_Blocks/Corporate/Confidential/Letter.htm" rel="nofollow">https://www.starwoodhotels.com/html/HTML_Blocks/Corporate/Co...</a>
This is an exceptionally self-serving take on the matter at hand. So much so that it’s frankly breathtaking that it’s been upvoted to #1.<p>Dear Israel del Rio,<p>As a Mariott and SPG member since history, kindly focus on not disclaiming responsibility in a public forum, since you almost assuredly aren’t as innocent as you claim.
> It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys.<p>I was reasonably sold on what was being said until that comment. Impossible is a strong word to use when it comes to computer security. It seems that everyone who has claimed that there system is unhackable, always ends up being hacked.
"The fact is, if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years.<p>It is difficult to imagine how an architectural or platform vulnerability would not have been discovered or exploited sooner."<p>Not really. There's been vulnerabilities that have been out in the wild for quite some time and took years to be found. Sometimes it just comes down to luck/what people are trying to exploit.
Worth pointing out that at the time of this guy's tenure, and for many years afterwards, the way you authenticated yourself while booking a rewards reservation with SPG via the phone was to verbally tell the agent your online password. Like, WTF.
This person has not worked at Starwood in 12 years. Their qualifications for making any kind of insightful analysis are basically nil at this point. As if this weren't weren't absurd enough he goes on to make the following laughable statements:<p>>"It is almost impossible to imagine a scenario in which an external hacker is able to gain access to the primary encryption keys."<p>>"The fact is, if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years."<p>>"Israel del Rio is executive technology consultant and CTO at Quilmach."<p>As someone who has family affected by this breach it's upsetting to see to see this individual using this incident for their own self-promotion. However at least his new company Quilmach now knows he is completely clueless about technology. So I guess he did everyone a favor here. Israel del Rio - Executive Idiot.
There’s no meaningful security in travel companies. They share with everyone and controls are a joke.<p>Hell, Hilton allowed for 4-digit numeric passwords until a few years ago.
He seemed to say the database wouldn't have 500 million records in it at a time since they are deleted but that seems irrelevant with how the breach took place over 4 years. Anyway the article seems to be just speculation, which is disappointing.<p>Edit: this article has gotten a lot more upvotes than I would expect if something this quality, is there something about it I'm missing that makes it particularly insightful?
This is a masterclass of CYA. He takes a lot of effort to try to prove that the system he was in charge of wasn't the cause, even though his arguments are absurd ("if we accept Marriott’s statement that the breach began in 2014, the system would already have been operating securely for five years." It was operating for 5 years but there's nothing to prove that it was operating securely for 5 years.) He also handwaves and leads the readers down some detective story ("ergo it must have been the data warehouse!") and says "We really don't know if it was Valhalla and may never know!"<p>No wonder he's an executive, he is an expert CYA-ers!
Also see extensive discussion of Marriott/Starwood situation within <a href="https://news.ycombinator.com/item?id=18651676" rel="nofollow">https://news.ycombinator.com/item?id=18651676</a>
There's a lot of sour-grapes among Starwood employees in the lead-up to and after the merger. A lot of dedicated middle management folks got forced out and a lot of managers in well-performing hotels were forced to move. None of the grunt employees seemed happy with it on either side.
This is a surprisingly poor understanding of tech. Do hotels hand out titles like investment banks (there were hundreds of VPs at JP Morgan), or was this author actually in a position of responsibility? Is it common for non-tech companies to have such people in high up places?
> Still, most commonly, breaches occur when someone obtains an administrative password via deceitful means (e.g., phishing attacks), enabling them to log into the system and install Trojan software to extract data or to manipulate the system.<p>> This is the method the Russians used to hack into the Democratic National Committee emails, for example.<p>AFAIK, phishing was the main attack for Podesta's emails, but I'm not aware that this was used on the DNC hack. I think the author is mixing scenarios.