Month: December 2018

On November 30, Marriott International announced that it had learned from an internal investigation in September 2018 that “an unauthorized party” had obtained unauthorized access to the guest reservation database of Starwood Resorts, which Marriott had acquired in 2016.  That unauthorized party apparently obtained information on

up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

For compliance officers responsible for cybersecurity, the most troublesome fact that Marriott disclosed should not be the magnitude of this breach (though that is certainly breathtaking), but its statement that it “learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”  While Marriott reported that it is supporting law enforcement efforts, “working with leading security experts to improve,” and offering various information resources and support for persons who may be affected by the breach, cybersecurity experts quickly responded that Starwood should have detected the breach years earlier – not least because Starwood had suffered a different, smaller breach in 2015, not long after Marriott had announced the deal to acquire Starwood.

That response has a substantial measure of truth, but does not delve deeply enough.  In fact, even at this early stage of post-breach activity, there are several lessons that other companies can learn from Marriott’s situation.

First, there are at least three periods of time since the 2015 acquisition announcement at which Starwood, Marriott, or both companies should have discovered some indications of the 2014 breach:

• Pre-Acquisition Due Diligence: Knowing that Starwood had suffered the 2015 breach, both Marriott and Starwood had ample opportunity, during the pre-acquisition phase, to review the state of Starwood’s cybersecurity measures and determine whether any significant instances of unauthorized access had taken place. It is no overstatement to say that cybersecurity is a critical component of pre-acquisition due diligence.
• Post-Acquisition Due Diligence and Integration: If not done pre-acquisition, Marriott had ample opportunity, in the course of integrating Starwood and Marriott resources, to do a similar due diligence review and check for existing data breaches or other critical cyber vulnerabilities.
• Post-Integration: Even in the post-integration phase, before Marriott’s and Starwood’s rewards programs merged in August 2018, Marriott had additional time to conduct proactive cybersecurity reviews relating to Starwood’s data resources.

Second, the fact that Marriott apparently first discovered in September 2018 that unauthorized access to the Starwood database had begun in 2014 suggests that there were additional critical gaps in the cybersecurity programs of both companies.  In the September 2018 version of its publication “Best Practices for Victim Response and Reporting of Cyber Incidents,”  the U.S. Department of Justice’s Cybersecurity Unit identified a number of best practices which organizations should adopt before a cyber intrusion or attack occurs.  Two of those are:

• “Identify Your ‘Crown Jewels’.” The “Best Practices” document states that “[b]efore formulating a cyber incident response plan, an organization should first determine which of its data, assets, and services warrants the greatest protection. Prioritizing the protection of an organization’s “crown jewels” and assessing how to manage the risk associated with protecting them are important first steps toward preventing the type of catastrophic harm that can result from a cyber incident.”  The apparent lack of ongoing or periodic internal cybersecurity reviews for breaches, however, is strongly suggestive that Starwood did not recognize or designate its customers’ personal data as “crown jewels,” let alone prioritize their protection.
• “Educate Senior Management about the Threat.” The document also states that “an organization’s senior management, board of trustees, and any other governing body responsible for making resource decisions and setting priorities should be aware of how cyber threats can disrupt an organization, compromise its products, impair customer confidence and relations, and otherwise cause costly damage.”  The failure to discover this breach at any time before September 2018, unfortunately, suggests that between 2015 and 2018, Starwood and Marriott senior management either were not sufficiently educated about the risks of cyber attacks and the need to dedicate appropriate resources to cyber defense, or were informed but disregarded or downplayed the information.

Much remains to be learned about the pre-September 2018 state of Marriott’s and Starwood’s cybersecurity programs.  It is not too soon, however, for companies to use the known facts about this latest breach, and inferences therefrom, as a benchmark for the basic condition of their own cybersecurity programs, and as an opportunity to remind senior management about the potentially catastrophic consequences of failure to maintain robust cyber defenses.

On November 30, two actions in the U.S. District Court for the District of Columbia indicate that the U.S. Department of Justice has been actively pursuing a troubling dimension of the extensive efforts by Malaysian billionaire Jho Low to evade prosecution for his role in the 1MDB scandal.  Not content with allegedly conspiring to bribe Malaysian and Abu Dhabian government officials to obtain and retain business and conspiring to launder the proceedings of that conduct, and fleeing Malaysia for Hong Kong, Macau, and parts unknown, the filing indicate that Low sought to use laundered funds to support lobbying efforts in the United States to influence the Department’s investigations of him.

First, the U.S. Department of Justice announced the filing of a civil forfeiture action, seeking to recover more than $73 million in funds that the Department stated were connected with billions of dollars embezzled from 1MDB that Low and others allegedly conspired to launder.  The Department also alleged, consistent with the indictment returned against Low and another individual last month, that Low and others paid hundreds of millions of dollars in foreign-official bribes.   The forfeiture complaint alleged that Prakazrel (“Pras”) Michel, a noted rapper and record producer – with the assistance of George Higginbotham, a senior Justice Department congressional affairs specialist until August 2018  — opened multiple bank accounts at U.S. financial institutions in 2017 to receive tens of millions of dollars in funds from overseas accounts controlled by Low.

The purpose of those funds was “to pay individuals to lobby high-level U.S. government officials to influence, inter alia, an ongoing U.S. Department of Justice (DOJ) criminal investigation of JHO LOW and related civil forfeiture proceedings over numerous of JHO LOW’s assets.”  In opening these accounts, Michel and Higginbotham allegedly made false and misleading statements to U.S. financial institutions that housed the accounts in order to mislead these institutions about the source of the funds and to obscure Low’s involvement in these transactions.

Second, Higginbotham entered a plea of guilty to one count of conspiracy to make false statements to a bank, relating to his helping to facilitate the transfer of tens of millions of dollars for Low’s lobbying campaign.  Higginbotham admitted “that the foreign principal behind the lobbying campaign was alleged to be the primary architect of the 1MDB scheme,” and

that another purpose of the lobbying campaign was an attempt to persuade high-level U.S. government officials to have a separate foreign national, who was residing in the United States on a temporary visa at the time, removed from the United States and sent back to his country of origin.

Finally, he also admitted that in order to conceal Low’s identity he conspired to make false statements to U.S. financial institutions concerning the source and purpose of the funds, and that he worked “on various fake loan and consulting documents in order to deceive banks and other regulators about the true source and purpose of the money.”

Note: Although the Wall Street Journal first disclosed the existence and general dimensions of these lobbying efforts in March 2018, these filings indicate more specifically the extent to which those efforts were intertwined with Low’s broader array of alleged federal crimes.  The Justice Department has sought to dispel potential concern that those efforts had any effect on the Department or its investigations.  In the forfeiture complaint, the Department stated categorically that “HIGGINBOTHAM, who was employed at DOJ in a non-lawyer position, was not involved in any way in the DOJ’s investigation of JHO LOW and failed to influence any aspect of DOJ’s investigation of 1MDB and JHO LOW.”  Still, many current and former Justice Department officials and employees must be dismayed, even angered, that any Justice Department employee would consider it appropriate to assist a known target of civil and criminal investigations by the Department in attempting to use political influence to interfere with the pursuit of those investigations.

As for Michel, the Department to date has not announced any civil or criminal charges against him personally pertaining to 1MDB or Low.  Nonetheless, Higginbotham’s plea and the forfeiture complaint – which includes allegations such as “MICHEL knew that JHO LOW was toxic to U.S. banks and that U.S. banks did not want to deal with him or accept JHO LOW’s funds” – provide reasons to believe that Michel, like Low, at the least may be losing his equanimity.