kennycrudup

Besides the fact that he'd been saying the same thing long before press reports have mentioned China, I dunno ... someone named "C-17 Passenger" who's got an extensive travel schedule sounds like the kind of person who could just very well be/know someone who knows exactly what's been going on ...?

kyanar

Actually, the NY Time piece once more quotes some speculation but zero actual evidence, followed by assertions that it was China - despite there being no concrete evidence of that whatsoever.

Blindly latching onto "it was China!" risks failing to apprehend the actual perpetrators if that assumption is wrong, and is patently irresponsible.

Not really, no.

KRSW

Is this the same former Starwood IT guy who wrote a volume on how superior Starwood's IT & systems were compared to Marriott's "antiquated" ones? Why yes, yes he is. Given what just went down, it appears Marriott was wise to retire Starwood's systems.

From the article, he says that Starwood used "...best practices were followed in its design (firewalls, DMZs, encryption, etc.)" Those were from 2009 and are not sufficient for 2018; it appears they weren't good enough for 2014 either. Perhaps these (potential) issues were part of the reasons Marriott chose to go with their new cloud system instead of continuing to use Starwood's.

As much as I love to hate Marriott's IT department, I am confident they're shooting straight with the information they've provided. I'm sure every single word Marriott has uttered about the breach was created by attorneys from their insurance carrier. If you go to the FAQ page, you'll notice it's hosted by Kroll, a risk management firm. I have no doubt that this firm was hired by the insurance carrier. This is also why you've seen such a public openness by Marriott on this issue vs. the radio silence Marriott has given us with the merger problems. I also am pretty sure the "dedicated call center" to handle the breach is run by Kroll, not Marriott. They have to be open as everything they say WILL be used against them in lawsuits. Again, both the insurance carrier & Kroll are fully aware of this.

As to what transpired and who is to blame, that will come out down the road. In the Target breach, we did eventually learn exactly how the attack happened, where the vulnerability was, and how the industry can prevent it. (Who'd have thought thermostats were that dangerous?)

In the end, this might be one of the biggest blessings to happen to Marriott's IT department. They're going to get near-unlimited funding, unlimited support from the board/CEO, the IT department will have priority over the Marketing department, outside firms to look over and fix their code, and we'll eventually get a website which works properly.

phltraveler

Especially since said SVP left before the merger, and by the time he wrote his complaint about mainframes and MARSHA in 2016 MARSHA had already been replatformed from mainframe to server based architecture for at least a year.

The full set of circumstances of why Marriott picked MARSHA are not known. Just being the larger company and the costs of switching a larger number of properties may have been a disincentive. Actual technical benefits (security or otherwise) of MARSHA may have as well. Seeing tons of Windows Server boxes with open RDP to the general internet does not instill confidence that Starwood had their IT game well handled.

And of course that giving VPN credentials open to your network to a third party contractor with no second factor key like an RSA token was bad, and having the HVAC equipment on the same network as payment processing was also bad...

Fingers crossed on this. They may just bury the post mortem as this was a starwood issue and now the starwood computers are offline/being decommissioned.