Marriott admits it falsely claimed for five years it was using encryption during 2018 breach
Douglas Brush, a special master with the US federal courts and the chief visionary officer for Accel Consulting who is not working on the Marriott case, said this twist from Marriott has potentially serious implications for the enterprise. Beyond Marriott, it illustrates some of the dangers associated with any false claims in a breach case.
“Did Marriott make material misrepresentations to their underwriters to obtain coverage before and during the event to cover the losses? If Marriott did indeed make material misrepresentations, it would constitute a clear violation of the contract with the carrier. This could potentially lead to the carrier suing for recovery on the coverages,” Brush said. “Additionally, as part of the M&A due diligence, who the heck said there was a certain encryption standard in place around the data? Buyer, seller, both? This now brings in SEC issues because the due diligence missed something that now has a long tail and significant material impact. Further, if this gets noticed and pressed, will it impact the 2024 stock prices and be an 8-K disclosure?”
As of March 2019, the company had reported $28 million in expenses related to the breach.
AES-128 and SHA-1 are two very different security approaches
Brush added that the technical nature of these two very different security approaches (AES-128 and SHA-1) raises questions over how it could have possibly been missed that encryption was not in place. For example, when Marriott purchased the systems from Starwood, it would have had to integrate the two systems. “To integrate the systems, you had to have known the encryption scheme,” Brush said.
When asked to make a security comparison between AES-128 and SHA-1, Fuad Hamidli — a cryptographer and senior lecturer with the New Jersey Institute of Technology — said “SHA-1 is not secure. It is broken” and that SHA-1 “is bad because it is not secure from a cryptographic perspective. I don’t know of any algorithm that can break AES-128. It doesn’t make any sense to protect data with SHA-1.”
Phil Smith, who builds encryption products as the encryption product manager for Open Text, agreed with Hamidli’s assessment. “You are not going to brute force an AES-128. You can crack SHA-1 in less than an hour.”