December 1, 2018 at
Data belonging to over 500 million guests of Marriott International got stolen in a hacking attack after hackers breached its Starwood reservation system. The hotel chain was known for requiring large quantities of personal data from their customers, including credit cards, home addresses, and sometimes even passport numbers. All of this data is now considered to be compromised due to an attack.
The attack reportedly started secretly, and a long time ago. It is believed that it began in 2014 and that it is the second largest theft of personal data in history. Only one event has seen the theft of a larger amount of personal information, which is the breach of Yahoo back in 2013. On that occasion, over three billion accounts were compromised.
This breach shows that even the largest companies remain vulnerable, despite the fact that such incidents have been occurring for years, now. It is believed that Starwood attack started at the same time as multiple other breaches, most of which concentrated on the US health insurers, government agencies, and security research firms. Many believe that the attacks are part of an effort to create a large database that would include as much personal information as possible, likely for the purpose of pinpointing espionage targets.
It is currently unknown whether this attack has any connection to other incidents, however, the data stolen from the Starwood system was still not found on the dark web. This was confirmed by a cyber insurance provider, Coalition, as well as a cybersecurity company, Recorded Future. According to experts, this might indicate that data thieves are not trying to sell the stolen information, at least not on an open market. Instead, it is usually an indication that some entity is creating a data collection for intelligence purposes.
The breach has affected every customer that made a reservation in Marriot-owned Starwood hotels in a four year period, from 2014 to September 2018. This includes numerous properties such as Tribute, Luxury Collection, Four Points, Sheraton, W Hotels, La Meridien, Elements, Design Hotels, St. Regis, Westin, Aloft, and others. Some hotels, such as Ritz-Carlton and Residence Inn, operate on a different reservation system, although the company has plans to merge it with that of Starwood.
What is Marriott doing about it?
As mentioned, stolen data includes pretty much anything that hotels have ever asked for. This includes names, phone numbers, home addresses, email addresses, birth dates, credit card data (encrypted), even passport numbers and travel histories. Affected guests can reach the hotel via a dedicated website or a call center, while the hotel itself is making an effort to inform every individual believed to be affected by the attack.
Furthermore, the company is currently offering a one-year free use of a Web Watcher service to those customers that are located in the US, the UK, or Canada. The service keeps watch on websites known for swapping stolen data, and it will notify anyone whose information gets detected.
Marriott’s chief executive and president, Arne Sorenson, stated that the company deeply regrets the incident and that this is not what their guests deserve. The worst part is the fact that the intrusion went unnoticed for years, even after obtaining Starwood for $13.6 billion in 2016. It was finally uncovered in early September after a security tool noticed that someone has made an unauthorized attempt to access the database. Security experts were quickly notified, and the truth came to light.
The full scope of the attack was discovered only recently, on November 19.
Consequences of the breach
This type of attacks has been growing rapidly in recent years, especially when it comes to the hospitality industry. However, experts believe that stealing data such as customer lists and their private information is of little use to small hackers. However, something like that would be very useful to governments and espionage agencies.
Such data can feed analysis programs and help with advertisement targeting, pinpointing movements of intelligence agents, and more.
Following the news of the hack, numerous lawsuits were filed against the company, and Barbara D. Underwood, New York’s attorney general, announced an official investigation. The same was done by European regulators, which is also of big importance, as companies in Europe may end up being fined as much as 4% of their global revenue due to data protection laws. Whenever a breach is discovered, the affected company has 72 hours to report it to the government.
Right now, it is believed that Marriott will likely trigger a huge fine, especially after taking into an account the sensitivity of the stolen data.
As for the company itself, it assured its shareholders that the breach will likely not affect the firm’s financial prospects in long term. However, the price of Marriott’s shares went down by 5% following the Friday announcement.
In the meanwhile, the company has been dealing with strikes by its workers in as many as nine cities, while customers continue to complain about Marriott’s rewards program. As for the lawmakers, they stated that this is yet another reason why the US should punish companies for not properly protecting their customers’ data. Privacy advocates agreed and stated that there is no excuse for a breach of this size to go unnoticed for such a long period of time.