What a Twist

Those of you who read my novels know that I love to set up twist endings---be it the Mine or Shakchunni or Mahabharata Murders, for it gives me the joy of a conjuror to make the reader's jaw drop. Not that I can see it, the physical act of the jaw-dropping, but I would like to imagine that it happens.

Where I do not enjoy a twist ending, at least not that much, is when I am doing my cybersecurity reading.

[Link from Marriott's official breach notification]

Update as of April 17, 2024: Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018 were protected using Advanced Encryption Standard 128 encryption (AES-128). Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).

So, some context. Marriott hotels, the place where you go to lie down and think about your life choices so that you can figure out why you are not at the Four Seasons, had a data breach back in November 2018, at a time when one wore masks only during Halloween. Not much, just 383 million records, with 25 million passport numbers, and 8.6 million credit cards.

Now, there is nothing fundamentally alarming about data breaches in this day and age. It happens to all of us like high blood pressure. There was nothing alarming about this breach either because Marriott informed the world that all of the data was encrypted, with AES and key strength 128 bits.

No harm, no foul.

Except now in April of 2024, and this is the twist, they say it was not AES but SHA-1.

No, it is not just a different cryptographic method, this instead of that. It's not as if you are at the Marriott, and you order hard-boiled eggs and get poached eggs. It's more like you order hard-boiled eggs and someone pours a bucket of cold water on your head. AES ensures confidentiality in that someone cannot read the data without having the key. SHA1 ensures integrity in that someone cannot accidentally change the data, but the key word is "accidental". SHA1 provides no protection in the presence of a threat actor, as there is no notion of a key. Even if Marriott had a keyed-hash (i.e. the SHA1 output encrypted with a key), that would not have protected the credit cards and passport numbers from being read, because they were all in plaintext.

It took them almost 6 years to tell their poor customers this. And that too when asked to by a judge. [Link]

During the hearing of the US District Court for the District of Maryland Southern Division, Judge John Preston Bailey ordered Marriott “to correct any information on its website within seven days.”

To quote:

Marriott did not issue a news release, nor did it flag the change on its homepage. Instead, it added two sentences to a page on its website from Jan. 4, 2019. The only way for consumers, shareholders, reporters or anyone else to see it is if they happened to click on the five-year-old page.?

One would think that they almost did not want their customers to know. Like they could, if they want, move you to the third-floor room, but they say "Sorry sir, we are all full tonight."

Marriott has thus far not answered any of the critical questions surrounding the admission. What made the company initially think that it had used AES-128, assuming that it did indeed believe that? After forensic investigations by outside firms — including Accenture, Verizon, and CrowdStrike — how did no one notice that there in fact had been no encryption in place? And if they did notice, why was Marriott repeating the false encryption claim? Perhaps most importantly, when and how did Marriott discover the truth?

That, my friends, is the glory of a good twist ending. No one sees it coming. And it's not as if they do not want to.