Big news in the cybersecurity world: Marriott International and its subsidiary Starwood Hotels are on the hook for $52 million, plus the creation of a comprehensive information security program, as part of a settlement for data breaches that affected more than 344 million customers.

What does this mean for you, the U.S. consumer? For starters, Marriott and Starwood will have to implement a robust security program and allow customers to request personal data deletions.

And there’s more: The American hospitality giant has also agreed to pay $52,000,000 to 49 states to resolve claims related to these data breaches.

So, what happened with Marriott?

Marriott International is a major player in the hospitality industry, managing and franchising a huge portfolio of hotels and lodging facilities. They operate over 7,000 properties in 130 countries worldwide.

Starwood, on the other hand, was an American hotel and leisure company until Marriott acquired it in 2016. This acquisition made Marriott responsible for data security and related hotel operations.

The announcement from the FTC shines a light on three cases where Marriott dropped the ball when it came to protecting its customers’ information.

First, there was a data breach in June 2014 in which many Starwood customers’ payment card information was exposed. It took 14 months for this breach to be discovered and publicly disclosed, which left affected clients exposed to elevated risks for over a year.

Then, there was a second incident where hackers accessed 339 million Starwood guest account records, including 5.25 million unencrypted passport numbers. This breach occurred in July 2014 but wasn’t detected until September 2018, again leaving customers exposed for multiple years.

Lastly, a third breach impacted Marriott itself. In September 2018, malicious actors accessed the records of 5.2 million guests. The exposed data included names, email addresses, postal addresses, phone numbers, dates of birth, and loyalty account information. Marriott didn’t discover this compromise and inform its clients until February 2020.

What’s the deal with the settlement?

The FTC is accusing Marriott and Starwood of misleading consumers about their data security practices. Some of the outlined failures include poor password controls, outdated software, and a lack of appropriate monitoring in their IT environment.

As part of the settlement agreement, Marriott and Starwood will now have to:

1. Establish a comprehensive information security program, complete with third-party assessments every two years and annual compliance certification for 20 years.
2. Limit data retention to only what’s necessary and inform customers of the reason for collecting and keeping their data.
3. Allow customers to request reviews of unauthorized activity in their loyalty accounts and restore stolen points.
4. Provide a way for customers to request deletion of personal information linked to their email or loyalty account.
5. Prohibit misrepresenting how personal data is handled and ensure transparency in security practices.

Marriott has also reached a separate settlement with 49 states and the District of Columbia, agreeing to pay $52,000,000 to resolve allegations and claims related to the above security incidents.

What can you do to protect yourself?

Data breaches like these are a harsh reminder that we need to be vigilant about our online security. Make sure to use strong, unique passwords for each of your accounts and keep an eye on your financial and loyalty accounts for any suspicious activity. Consider using a password manager to help you keep track of your passwords securely.

And remember, we’re always here to help. If you have any questions about cybersecurity or want to learn more about protecting your personal information, don’t hesitate to reach out to us. We’re committed to helping you stay informed and secure in this ever-changing digital landscape.

A Major Breach at Fidelity Investments

Imagine you’re one of the 77,000 customers of Fidelity Investments, a Boston-based multinational financial services company, who just found out that their personal information had been exposed. This was the unfortunate reality for many after Fidelity disclosed that its systems were breached in August.

As one of the largest asset managers globally, with $14.1 trillion in assets under administration and $5.5 trillion under management, Fidelity employs over 75,000 associates across 11 countries in North America, Europe, Asia, and Australia. With such a massive operation, this breach is undoubtedly a significant concern for both the company and its customers.

The Details of the Breach

In a filing with the Office of Maine’s Attorney General, Fidelity revealed that an unknown attacker stole data between August 17 and 19 using “two customer accounts that they had recently established.” The company detected the activity on August 19 and immediately took steps to terminate the access, launching an investigation with assistance from external security experts.

In data breach notifications sent to affected individuals, Fidelity said, “The information obtained by the third party related to a small subset of our customers. Please note that this incident did not involve any access to your Fidelity account(s).” However, the company has yet to reveal what personal information was stolen in the data breach besides names and other personal identifiers.

When we asked how the attacker could access the data of thousands of customers using two accounts they previously created, Fidelity’s head of external corporate comms, Michael Aalto, said they couldn’t share that information. However, he added that “they did not view accounts. They viewed customer information.”

What’s Being Done to Protect Customers?

Even though Fidelity says there is no evidence that the stolen customer data has been misused, the company is providing affected customers with two years of free TransUnion credit monitoring and identity restoration services.

Fidelity also advised customers to “remain vigilant for fraudulent activity or identity theft by regularly reviewing your statements for your financial and other accounts, monitoring your credit reports, and promptly reporting any suspicious activity to your financial institution (if applicable), local law enforcement, or your appropriate state authority.”

A Call to Take Cybersecurity Seriously

This incident serves as a powerful reminder of the importance of cybersecurity for both individuals and companies. As technology continues to evolve, so do the threats we face. It’s crucial to stay informed about potential risks and take the necessary steps to protect ourselves and our sensitive information.

That’s why we’re here to help. Our IT Services team is dedicated to providing you with the latest cybersecurity information and guidance. Don’t hesitate to contact us if you have any questions or concerns, and remember to keep coming back to learn more about how to stay safe in our digital world.

We have recently learned that the Underground ransomware gang has taken credit for an attack on Casio, the Japanese tech giant, on October 5. The attack caused disruptions in the company’s systems and affected some of its services.

Earlier this week, Casio acknowledged the attack on its website but did not provide any specifics. Instead, they mentioned that external IT specialists were brought in to determine if any personal data or other confidential information was stolen during the breach.

Now, the Underground ransomware group has posted information on its dark web extortion portal, claiming they have stolen a significant amount of data from Casio.

The stolen data allegedly includes:

• Confidential documents (社外秘)
• Legal documents
• Personal data of employees
• Confidential NDAs
• Employee payroll information
• Patents information
• Company financial documents
• Project information
• Incident reports

If these claims are true, Casio’s workforce and intellectual property have been significantly compromised, potentially harming the company’s business operations.

We contacted Casio to request a comment on these claims and the data leak, but we have not received any response. As such, we cannot verify the authenticity of the threat actor’s statements at this time.

Underground ransomware: A brief overview

According to a Fortinet report from August 2024, Underground is a relatively small-scale ransomware operation that has been targeting Windows systems since July 2023. The operation is associated with the Russian cybercrime group ‘RomCom’ (Storm-0978), previously known for delivering Cuba ransomware on breached systems.

Fortinet’s report indicates that over the summer, Underground ransomware operators exploited CVE-2023-36884, a remote code execution flaw in Microsoft Office, likely used as an infection vector. Once a system is breached, the attackers modify the registry to keep Remote Desktop sessions alive for 14 days after user disconnection, providing ample time for them to maintain access to the system.

Interestingly, Underground does not add any file extensions to encrypted files and is designed to avoid file types essential for Windows operation, ensuring the affected system remains functional. The ransomware also stops the MS SQL Server service to free up data for theft and encryption, maximizing the impact of the attack.

Like most Windows ransomware strains, Underground deletes shadow copies to make data restoration extremely difficult.

One unique aspect of Underground’s extortion tactics is that it also leaks stolen data on Mega, promoting links to archives hosted there via its Telegram channel. This strategy increases the exposure and availability of the stolen information.

Currently, Underground ransomware’s extortion portal lists 17 victims, with the majority based in the USA.

It remains to be seen whether the Casio attack will serve as the catalyst for the threat group to gain mainstream attention and increase the frequency and scale of its attacks.

As cybersecurity experts, we believe it’s essential for businesses and individuals to stay informed about the latest threats and best practices for protecting their valuable data. We encourage you to contact us and keep coming back to learn more about the ever-evolving world of cybersecurity.