CyberClub

For more than five years, Marriott has defended a massive 2018 data breach by arguing that its encryption level (AES-128) was so strong that the case against it should be dismissed. But attorneys for the hotel chain admitted in an April 10 hearing that it had never used AES-128 during the time of the breach.

In fact, it hadn’t been using any encryption at all at the time but rather had been using secure hash algorithm 1 (SHA-1), which is a hashing mechanism and not encryption.

During the hearing of the US District Court for the District of Maryland Southern Division, Judge John Preston Bailey ordered Marriott “to correct any information on its website within seven days.”

Marriott did not issue a news release, nor did it flag the change on its homepage. Instead, it added two sentences to a page on its website from Jan. 4, 2019. The only way for consumers, shareholders, reporters or anyone else to see it is if they happened to click on the five-year-old page. 

The two-sentence update reads: “Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018, were protected using Advanced Encryption Standard 128 encryption (AES-128). Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).”

Marriott has not said why it erroneously stated it had used AES-128

Marriott has thus far not answered any of the critical questions surrounding the admission. What made the company initially think that it had used AES-128, assuming that it did indeed believe that? After forensic investigations by outside firms — including Accenture, Verizon, and CrowdStrike — how did no one notice that there in fact had been no encryption in place? And if they did notice, why was Marriott repeating the false encryption claim? Perhaps most importantly, when and how did Marriott discover the truth?

Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting who is not working on the Marriott case, said this twist from Marriott has potentially serious implications for the enterprise. Beyond Marriott, it illustrates some of the dangers associated with any false claims in a breach case.

“Did Marriott make material misrepresentations to their underwriters to obtain coverage before and during the event to cover the losses? If Marriott did indeed make material misrepresentations, it would constitute a clear violation of the contract with the carrier. This could potentially lead to the carrier suing for recovery on the coverages,” Brush said. “Additionally, as part of the M&A due diligence, who the heck said there was a certain encryption standard in place around the data? Buyer, seller, both? This now brings in SEC issues because the due diligence missed something that now has a long tail and significant material impact. Further, if this gets noticed and pressed, will it impact the 2024 stock prices and be an 8-K disclosure?”

As of March 2019, the company had reported $28 million in expenses related to the breach.

AES-128 and SHA-1 are two very different security approaches

Brush added that the technical nature of these two very different security approaches (AES-128 and SHA-1) raises questions over how it could have possibly been missed that encryption was not in place. For example, when Marriott purchased the systems from Starwood, it would have had to integrate the two systems. “To integrate the systems, you had to have known the encryption scheme,” Brush said. 

When asked to make a security comparison between AES-128 and SHA-1, Fuad Hamidli — a cryptographer and senior lecturer with the New Jersey Institute of Technology — said “SHA-1 is not secure. It is broken” and that SHA-1 “is bad because it is not secure from a cryptographic perspective. I don’t know of any algorithm that can break AES-128. It doesn’t make any sense to protect data with SHA-1.”

Phil Smith, who builds encryption products as the encryption product manager for Open Text, agreed with Hamidli’s assessment. “You are not going to brute force an AES-128. You can crack SHA-1 in less than an hour.”

Lawyers for the plaintiffs say the misidentification thwarted fraud-finding efforts

Attorneys for consumers suing Marriott argued to Judge Bailey that the new information is serious because it is well accepted that SHA-1 is not encryption but rather a hashing algorithm that can be hacked very quickly. “In fact, card brands don’t even allow you to protect information using that kind of algorithm,” attorney Amy Keller said.

“And then the other issue is Marriott said, ‘Don’t worry because we’ve found no widespread evidence of fraud.’ The problem with that statement is it ignores the fact that when you tell people certain information is encrypted, two things happen. The first is that card brands like Mastercard and VISA stop investigating for widespread fraud. So, if the card brand determined that widespread fraud could not have happened because the information was encrypted, and so the kind of information that they were looking for is now lost forever because that was five years ago.”

In a court filing, plaintiffs’ counsel added that a declaration from liability expert Mary Frantz stated that the protection of payment card data through SHA-1 is functionally the same as no encryption, “as any hacker using a modern laptop could have revealed the payment card and passport numbers exfiltrated from Marriott’s database.”

Marriott disagrees that the issue is serious and information has been lost

Lisa Ghannoum, representing Marriott, disagreed with Keller’s contentions, including that information has been lost. “That is simply not the case,” Ghannoum said. “The relevant parties are preserving information. In fact, the plaintiffs asked the defendants to preserve information and we agreed to that. We would have done it anyway. The notion that information has been lost forever is simply not accurate.”

“Verizon, an independent third party, came to the same conclusion that Marriott initially had, that data in these involved tables were protected by AES-128 encryption, as did Marriott’s other technical experts, including CrowdStrike. It worked with a specialized team in response,” Ghannoum said. “It was only recently that Marriott had reason to question that. It moved with all due speed in order to verify whether or not that was the case, and as soon as it realized that there was a correction needed, it made that correction.”