The Marriott/Starwood Data Breach: Early Lessons To Be Learned

On November 30, Marriott International announced that it had learned from an internal investigation in September 2018 that “an unauthorized party” had obtained unauthorized access to the guest reservation database of Starwood Resorts, which Marriott had acquired in 2016.  That unauthorized party apparently obtained information on

up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

For compliance officers responsible for cybersecurity, the most troublesome fact that Marriott disclosed should not be the magnitude of this breach (though that is certainly breathtaking), but its statement that it “learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”  While Marriott reported that it is supporting law enforcement efforts, “working with leading security experts to improve,” and offering various information resources and support for persons who may be affected by the breach, cybersecurity experts quickly responded that Starwood should have detected the breach years earlier – not least because Starwood had suffered a different, smaller breach in 2015, not long after Marriott had announced the deal to acquire Starwood.

That response has a substantial measure of truth, but does not delve deeply enough.  In fact, even at this early stage of post-breach activity, there are several lessons that other companies can learn from Marriott’s situation.

First, there are at least three periods of time since the 2015 acquisition announcement at which Starwood, Marriott, or both companies should have discovered some indications of the 2014 breach:

  • Pre-Acquisition Due Diligence: Knowing that Starwood had suffered the 2015 breach, both Marriott and Starwood had ample opportunity, during the pre-acquisition phase, to review the state of Starwood’s cybersecurity measures and determine whether any significant instances of unauthorized access had taken place. It is no overstatement to say that cybersecurity is a critical component of pre-acquisition due diligence.
  • Post-Acquisition Due Diligence and Integration: If not done pre-acquisition, Marriott had ample opportunity, in the course of integrating Starwood and Marriott resources, to do a similar due diligence review and check for existing data breaches or other critical cyber vulnerabilities.
  • Post-Integration: Even in the post-integration phase, before Marriott’s and Starwood’s rewards programs merged in August 2018, Marriott had additional time to conduct proactive cybersecurity reviews relating to Starwood’s data resources.

Second, the fact that Marriott apparently first discovered in September 2018 that unauthorized access to the Starwood database had begun in 2014 suggests that there were additional critical gaps in the cybersecurity programs of both companies.  In the September 2018 version of its publication “Best Practices for Victim Response and Reporting of Cyber Incidents,”  the U.S. Department of Justice’s Cybersecurity Unit identified a number of best practices which organizations should adopt before a cyber intrusion or attack occurs.  Two of those are:

  • “Identify Your ‘Crown Jewels’.” The “Best Practices” document states that “[b]efore formulating a cyber incident response plan, an organization should first determine which of its data, assets, and services warrants the greatest protection. Prioritizing the protection of an organization’s “crown jewels” and assessing how to manage the risk associated with protecting them are important first steps toward preventing the type of catastrophic harm that can result from a cyber incident.”  The apparent lack of ongoing or periodic internal cybersecurity reviews for breaches, however, is strongly suggestive that Starwood did not recognize or designate its customers’ personal data as “crown jewels,” let alone prioritize their protection.
  • “Educate Senior Management about the Threat.” The document also states that “an organization’s senior management, board of trustees, and any other governing body responsible for making resource decisions and setting priorities should be aware of how cyber threats can disrupt an organization, compromise its products, impair customer confidence and relations, and otherwise cause costly damage.”  The failure to discover this breach at any time before September 2018, unfortunately, suggests that between 2015 and 2018, Starwood and Marriott senior management either were not sufficiently educated about the risks of cyber attacks and the need to dedicate appropriate resources to cyber defense, or were informed but disregarded or downplayed the information.

Much remains to be learned about the pre-September 2018 state of Marriott’s and Starwood’s cybersecurity programs.  It is not too soon, however, for companies to use the known facts about this latest breach, and inferences therefrom, as a benchmark for the basic condition of their own cybersecurity programs, and as an opportunity to remind senior management about the potentially catastrophic consequences of failure to maintain robust cyber defenses.

How Low Can Jho Go?

On November 30, two actions in the U.S. District Court for the District of Columbia indicate that the U.S. Department of Justice has been actively pursuing a troubling dimension of the extensive efforts by Malaysian billionaire Jho Low to evade prosecution for his role in the 1MDB scandal.  Not content with allegedly conspiring to bribe Malaysian and Abu Dhabian government officials to obtain and retain business and conspiring to launder the proceedings of that conduct, and fleeing Malaysia for Hong Kong, Macau, and parts unknown, the filing indicate that Low sought to use laundered funds to support lobbying efforts in the United States to influence the Department’s investigations of him.

First, the U.S. Department of Justice announced the filing of a civil forfeiture action, seeking to recover more than $73 million in funds that the Department stated were connected with billions of dollars embezzled from 1MDB that Low and others allegedly conspired to launder.  The Department also alleged, consistent with the indictment returned against Low and another individual last month, that Low and others paid hundreds of millions of dollars in foreign-official bribes.   The forfeiture complaint alleged that Prakazrel (“Pras”) Michel, a noted rapper and record producer – with the assistance of George Higginbotham, a senior Justice Department congressional affairs specialist until August 2018  — opened multiple bank accounts at U.S. financial institutions in 2017 to receive tens of millions of dollars in funds from overseas accounts controlled by Low.

The purpose of those funds was “to pay individuals to lobby high-level U.S. government officials to influence, inter alia, an ongoing U.S. Department of Justice (DOJ) criminal investigation of JHO LOW and related civil forfeiture proceedings over numerous of JHO LOW’s assets.”  In opening these accounts, Michel and Higginbotham allegedly made false and misleading statements to U.S. financial institutions that housed the accounts in order to mislead these institutions about the source of the funds and to obscure Low’s involvement in these transactions.

Second, Higginbotham entered a plea of guilty to one count of conspiracy to make false statements to a bank, relating to his helping to facilitate the transfer of tens of millions of dollars for Low’s lobbying campaign.  Higginbotham admitted “that the foreign principal behind the lobbying campaign was alleged to be the primary architect of the 1MDB scheme,” and

that another purpose of the lobbying campaign was an attempt to persuade high-level U.S. government officials to have a separate foreign national, who was residing in the United States on a temporary visa at the time, removed from the United States and sent back to his country of origin.

Finally, he also admitted that in order to conceal Low’s identity he conspired to make false statements to U.S. financial institutions concerning the source and purpose of the funds, and that he worked “on various fake loan and consulting documents in order to deceive banks and other regulators about the true source and purpose of the money.”

Note: Although the Wall Street Journal first disclosed the existence and general dimensions of these lobbying efforts in March 2018, these filings indicate more specifically the extent to which those efforts were intertwined with Low’s broader array of alleged federal crimes.  The Justice Department has sought to dispel potential concern that those efforts had any effect on the Department or its investigations.  In the forfeiture complaint, the Department stated categorically that “HIGGINBOTHAM, who was employed at DOJ in a non-lawyer position, was not involved in any way in the DOJ’s investigation of JHO LOW and failed to influence any aspect of DOJ’s investigation of 1MDB and JHO LOW.”  Still, many current and former Justice Department officials and employees must be dismayed, even angered, that any Justice Department employee would consider it appropriate to assist a known target of civil and criminal investigations by the Department in attempting to use political influence to interfere with the pursuit of those investigations.

As for Michel, the Department to date has not announced any civil or criminal charges against him personally pertaining to 1MDB or Low.  Nonetheless, Higginbotham’s plea and the forfeiture complaint – which includes allegations such as “MICHEL knew that JHO LOW was toxic to U.S. banks and that U.S. banks did not want to deal with him or accept JHO LOW’s funds” – provide reasons to believe that Michel, like Low, at the least may be losing his equanimity.

Hong Kong Court of Final Appeal Upholds Application of Securities Fraud Ordinance to Insider Dealing in Shares Listed Outside Hong Kong

On October 31, in Lee v. Securities and Futures Commission, the Hong Kong Special Administrative Region Court of Final Appeal decided that Section 300 of the Securities and Futures Ordinance (SFO), which broadly applies to securities fraud, applies to insider dealing in shares that were not listed on the Hong Kong Stock Exchange but were listed on the Taiwan Stock Exchange, provided that substantial activities constituting the crime occurred within Hong Kong.

Section 300 of the SFO states that a person

shall not, directly or indirectly, in a transaction involving securities, futures contracts or leveraged foreign exchange trading—

(a) employ any device, scheme or artifice with intent to defraud or deceive; or

(b) engage in any act, practice or course of business which is fraudulent or deceptive, or would operate as a fraud or deception.

In 2006, four persons engaged in an insider dealing scheme involving shares of Hsinchu International Bank, whose shares were listed on the Taiwan Stock Exchange and were being acquired by Standard Chartered Bank. “Betty”, a solicitor in an international law firm, “Eric,” a solicitor in another international law firm, and “Patsy” and “Stella,” two sisters of Eric, pooled more than HK$6.3 million to buy Hsinchu shares, before the tender offer was made public, through a Hong Kong-based securities firm account that Patsy had opened for the purpose of trading in shares listed in Taiwan. (All names used are the English names that the Court used in its judgments.)  Once the tender offer was made public, Patsy accepted the tender on their Hsinchu shares, making an aggregate profit of nearly HK$2.7 million.  In a civil proceeding by the Hong Kong Securities and Futures Commission (SFC), a judge found that Betty, Eric, and Patsy had contravened section 300 by engaging in their scheme and that Stella had been involved in the others’ contravention of section 300.

In his judgment, Justice Robert Tang found that the term “transaction” in section 300 “has a wide meaning” and covers the defendants’ scheme.  Although subsection 291(5) of the SFO, which specifically prohibits insider dealing, uses definitions of “listed securities” and “listed corporation” that makes that subsection inapplicable to shares listed on the Taiwan Exchange, Justice Tang wrote, the term “securities” in section 300

is defined in wide terms and . . . is not confined to shares listed in Hong Kong. It can cover shares not listed in a recognized stock exchange.  I think it would be in keeping with the purpose of the SFO and Hong Kong’s position as an international financial center, that provided “substantial activities constituting the crime” occurred within Hong Kong, s[ection] 300 should cover the insider dealing in shares listed in Taiwan. I have no doubt that substantial activities constituting the complaint under s[ection] 300 occurred in Hong Kong. (Footnotes omitted)

Note: While one law firm has opined that the outcome in was “widely anticipated,” the breadth of the Court’s construction of section 300 is certainly greater than the SFC could have expected.  In the light of the holdings on the breadth of key terms in section 300, and on the reach of section 300 beyond shares listed in Hong Kong even to “shares not listed in a recognized stock exchange,” it will not be surprising if the SFC makes increasing use of that section to pursue a broad array of insider dealing cases.  As the Court did not list or describe the types of activities that could constitute “substantial activities . . . “occurr[ing] in Hong Kong,” the SFC will need to proceed cautiously in developing insider-dealing cases involving shares listed outside Hong Kong.

Australian Foreign-Bribery Investigation of Banknote Firms Nears End on Discordant and Surprising Notes

During November, two developments in the long-running foreign-bribery investigation of two Australian banknote companies by the Australian Federal Police (AFP) and Commonwealth prosecutors appear to have brought that investigation to a close.  Both companies — Securency, which made the plastic base for banknotes, and Note Printing Australia (NPA), which produced the notes investigation – were owned by the Reserve Bank of Australia (RBA) at the times relevant to the investigation.

First, on November 8, the High Court of Australia, in a unanimous decision, affirmed the permanent staying of prosecutions against four unnamed NPA executives, who had been charged with violations of the Commonwealth Criminal Code (and, in some cases, the Victoria Crimes Act 1958), on abuse-of-process grounds.  The High Court’s decision stated that the Australian Crime Commission (ACC), which has statutory authority under the  Australian Crime Commission Act 2002 to investigate criminal activity, had failed to comply with key provisions of its own legislation.  Even though each of the four executives had been asked to participate in a cautioned record of interview by the AFP and had declined that request, an ACC examiner chose to use the ACC’s coercive powers to compel the executives to answer the AFP’s questions.  Because the AFP and commonwealth prosecutors gained a substantial forensic advantage from the compelled questioning, the Court agreed with the trial-level judge’s conclusion that “the continued prosecution of the appellants would bring the administration of justice into disrepute.”

Second, during the week of November 26, a former NPA sales executive, Christian Boillot, pleaded guilty to conspiring to offer a bribe to foreign officials in Malaysia.  That result, closely following the High Court’s decision regarding the four other executives, led to the November 28 lifting of non-publication court orders in the case.  That in turn prompted the RBA to issue a statement, in which it publicly disclosed for the first time that in 2011, NPA (wholly RBA-owned) and Securency (50 percent RBA-owned at the time) entered pleas of guilty to charges of conspiracy to bribe officials in Indonesia, Malaysia, Vietnam, and Nepal in connection with banknote-related business.  Previously, in 2011 both firms had been publicly charged in the investigation, but no resolution had been reported until now.  The RBA also stated that as a result of their pleas, the two companies paid a combined total of nearly A$22.6 million (US$16.3 million) in fines and pecuniary penalties under the Proceeds of Crime Act 2002. Although Securency’s pecuniary penalty of A$19,809,772 was more than ten times the size of NPA’s pecuniary penalty of A$1,856,710, the RBA statement did not provide any explanation of the reasons for the disparity or the facts relating to the firms’ relative culpability.

Previously, four other individuals — Securency’s former chief executive and chief financial officer, a  manager, and an agent  principal of a Securency agency business in Indonesia – pleaded guilty to various charges and received suspended sentences.  It will be surprising if Boillot, who is scheduled to be sentenced December 6, receives anything but a suspended sentence as well.

Note:  As one of the first cases pursued under Australia’s foreign-bribery laws, this investigation has had as many plusses as it has minuses.  On the plus side, the AFP and the Commonwealth Director of Public Prosecutions (CDPP) deserve credit for initiating and seeing the investigation through over nearly a decade, for conducting a true joint investigation with the United Kingdom Serious Fraud Office (SFO), and for obtaining guilty pleas from NPA, Securency, and a number of top executives.  On the minus side, the SFO is the only prosecutive office that succeeded in obtaining a sentence of imprisonment in that joint investigation, and the High Court’s strong rebuke of the AFP and the CDPP has strengthened the voices of crossbench Members of Parliament advocating the creation of a federal anti-corruption body.  The investigation also called into question the adequacy of the RBA’s supervision of its own subsidiaries.  RBA Governor Philip Lowe acknowledged that  the RBA “accepts there were shortcomings in its oversight of these companies, and changes to controls and governance have been made to ensure that a situation like this cannot happen again.”

In one respect, this case could prove to be a historical artifact with respect to regulatory and law enforcement expectations about director accountability for bribery-related conduct.  The RBA’s public statement specifically said that in 2011, the CDPP ”accepted that the boards of the two companies had no involvement in, or knowledge of, the conduct in question. No evidence of knowledge or involvement by officers of the RBA, or the non-executive members of either board appointed by the RBA, has emerged in any of the relevant legal proceedings or otherwise.”  Both NPA and Securency, on the other hand, reportedly “accepted that the systems and procedures they had in place at the time of the offending were inadequate to prevent or detect the offending conduct of their senior executives.”  Since 2011, regulatory expectations in the United Kingdom and other countries about the responsibility of boards for overseeing corporate compliance have been increasingly stringent.  It seems highly likely that in future Australian investigations of corporate wrongdoing, mere denials of knowledge or involvement by board members in the alleged wrongdoing will not suffice to avoid individual director culpability, at least when multiple C-level executives and managers are implicated in the bribery scheme and the board failed to establish and maintain consistent oversight on compliance matters.

Further details regarding the sequence of events in the investigation can be found in the RBA’s chronology and an ABC News timeline.

U.S. Department of Justice Indicts Two Iranian Nationals for Sophisticated Ransomware Scheme

Today, the U.S. Department of Justice announced the unsealing of an indictment in the District of New Jersey, charging two Iranian nationals, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, with conducting a 34-month-long international computer hacking and extortion scheme involving the deployment of sophisticated ransomware against more than 200 victims, including hospitals, municipalities, and public institutions.  Both defendants are charged with conspiracy to commit wire fraud, conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer, transmitting a demand in relation to damaging a protected computer.

According to the indictment, the defendants, acting from inside Iran, authored malware, known as “SamSam Ransomware,” that was capable of forcibly encrypting data on the computers of victims.  Beginning in December 2015, the defendants allegedly accessed the computers of victim entities without authorization through security vulnerabilities, and installed and executed the SamSam Ransomware on the computers, which resulted in the encryption of data on the victims’ computers.  In committing their attacks, the defendants allegedly used overseas computer infrastructure and sophisticated online reconnaissance techniques (e.g., scanning for computer network vulnerabilities), and conducted online research in order to select and target potential victims.  In some cases, they would also disguise their attacks to look like legitimate network activity.

Once SamSam was deployed on targeted computers, the defendants allegedly

would then extort victim entities by demanding a ransom paid in the virtual currency Bitcoin in exchange for decryption keys for the encrypted data, collecting ransom payments from victim entities that paid the ransom, and exchanging the Bitcoin proceeds into Iranian rial using Iran-based Bitcoin exchangers.  The indictment alleges that, as a result of their conduct, Savandi and Mansouri have collected over $6 million USD in ransom payments to date, and caused over $30 million USD in losses to victims.

Note:  Financial-crimes compliance and information-security officers should use this indictment as an opportunity to remind corporate officers and employees, at all levels, of the risks that ransomware can pose to their companies’ capacity to conduct critical operations, as well as their obligation to comply fully with corporate cybersecurity requirements.  As cybersecurity firm Malwarebytes previously observed, to gain initial access SamSam uses not only sophisticated exploitation of vulnerabilities in remote desktop protocols, Java-based web servers, and file transfer protocol servers, but also the unsophisticated but still effective approach of “brute force” attacks against weak passwords.

The consequences of failing to guard against ransomware such as SamSam on all fronts has been catastrophic to various businesses. Among other SamSam victims, the City of Atlanta, which reportedly refused to pay the ransom, may need as much as $17 million to remediate the damage, and an Indiana hospital, which reportedly chose to pay the ransom, nonetheless was reduced at one point to working with pen and paper before systems could be restored.  Because the cybersecurity community by now is well aware of the vectors and techniques behind SamSam, chief information security officers need to ensure that their companies’ ransomware defenses are robust and timely updated.

In his remarks concerning the indictment, Assistant Attorney General for the Criminal Division Brian A. Benczkowski stated that “the Criminal Division and its law enforcement partners will relentlessly pursue cybercriminals who harm American citizens, businesses, and institutions, regardless of where those criminals may reside.” That statement is more than high-sounding rhetoric.  The unsealing of the indictment and the FBI’s issuance of a “Wanted by the FBI” for both men indicate that the Department, as it has done in other serious criminal cases involving defendants in foreign jurisdictions, is prepared to be patient and wait – for years if necessary – for an opportunity to apprehend and extradite the defendants.