Marriott Hotels cyber attack affects 500 million guests
3rd December 2018
The giant Marriott Hotels chain has confirmed a data security incident that may have resulted in the loss of confidential information of up to 500 million guests. In a remarkably low-key news announcement, the company confirmed that the security breach of its Starwood reservation database has been on-going for a period of four years.
500 million and counting
For 327 million of the individuals affected, the stolen data included information such as passport numbers, emails, date of birth, gender and mailing addresses. For some, the data also includes payment card numbers and payment card expiration dates. Marriott confirmed that the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). They also added that they couldn’t rule out the possibility that the attackers had also stolen the encryption keys needed to decrypt the payment data!
Cyber attack for four years
Marriott received an alert on the 8th September from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. During the subsequent investigation, they discovered that there had been unauthorised access to the Starwood network since 2014. They also revealed that a 3rd party had copied and encrypted data and sent it to an unknown external location.
Marriott has not disclosed exactly how the hack happened. KrebsOnSecurity suggests that the acquisition of Starwood by Marriott in 2016 may have allowed hackers to quietly remain inside Starwood’s database. Starwood disclosed a breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, the earlier breach stretched back at least one year to November 2014.
The Marriott – the second largest breach ever
The largest reported cyber security breach was that suffered by Yahoo in 2013. Now part of Verizon Communications, the internet search company reported that data from 3 billion of its users had been exposed. The Marriot breach ranks as the second biggest to date and its scale is no doubt linked to the length of the attack (since 2014) and very the large number of guests who stay in its hotels worldwide.
Who has been affected?
Only guests who stayed at Marriott’s Starwood-branded hotels in the past four years are affected. Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
The Telegraph reported that angry customers have taken to Twitter to complain that they found out about the breach through news reports, rather than by receiving an email from Marriott. “Were you planning on letting me know that pretty much everything except my toothbrush got stolen on your watch?” one user said. Almost as quickly, class-action lawsuits have been filed in Oregon and Maryland by three individual Marriott customers. The plaintiff in the Oregon lawsuit is claiming $125 million in costs and damages.
Breaking the law in Europe
The Marriot has informed the UK’s Information Commissioner’s Office (ICO) of the breach as required under its obligation to the EU General Data Protection Regulation (GDPR). The ICO has the power to fine companies up to 4% of their global turnover, which for the Marriott could result in a fine in the region $916m.
A spokesman for the ICO said: “We have received a data breach report from Marriott Hotels involving its Starwood Hotels and are making enquiries. We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online.”
Hospitality is very attractive to hackers
The hospitality industry is particularly attractive to cyber criminals. Hotels store and process desirable personal data from high-net-worth individuals and often use complex IT systems and services. Point-of-sale payment card transactions dominate payments at hotels, and there is usually a legal requirement to capture passport information of international guests as part of the booking process.