Marriott Hacking Exposes Data of Up to 500 Million Guests


The resort chain requested visitors checking in for a treasure trove of private info: bank cards, addresses and typically passport numbers. On Friday, shoppers discovered the danger. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the private knowledge of up to 500 million visitors.

The assault began way back to 2014, and was one of the most important identified thefts of private information, second solely to a 2013 breach of Yahoo that affected three billion person accounts and bigger than a 2017 episode involving the credit score bureau Equifax.

The intrusion was a reminder that after years of headline-grabbing assaults, the pc networks of massive firms are nonetheless weak.

The Starwood assault occurred roughly the identical time as a quantity of different breaches at American well being insurers and authorities businesses, together with the United States Office of Personnel Management, in what safety analysis corporations and authorities officers described as an effort to compile an enormous database of private info on potential espionage targets.

Experts don’t know if the Starwood assault was linked to these different episodes. But Starwood’s knowledge has not popped up on the so-called darkish internet, in accordance to Recorded Future, a cybersecurity agency, and Coalition, a cyber insurance coverage supplier, which steered that the resort attackers weren’t wanting to promote what they took.

“Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes,” mentioned James A. Lewis, a cybersecurity skilled on the Center for Strategic Studies in Washington.

The breach hit prospects who made reservations for the Marriott-owned Starwood resort manufacturers from 2014 to September 2018. The properties embrace Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Elements and the Luxury Collection.

Marriott resorts, together with Residence Inn and the Ritz-Carlton, function on a separate reservation system. The firm has plans to merge that system with Starwood’s.

The names, addresses, telephone numbers, beginning dates, e-mail addresses and encrypted bank card particulars of resort prospects have been stolen. The journey histories and passport numbers of a smaller group of visitors have been additionally taken.

In recent years, cybersecurity experts said, the hospitality industry has become a rich target for nation-state hackers looking to track the travel movements and preferences of heads of states, diplomats, chief executives and other people of interest to espionage agencies.

Going after hotel customer lists has been part of a broader effort to obtain giant databases of information. So big, in fact, that they would be of little use to run-of-the-mill hackers. But to a government, they would be very useful.

That information could be fed, for example, into an analysis program run by a country’s state security apparatus, Mr. Lewis said. Using “big data” technology similar to what marketers use in targeted advertising, the country could try to pinpoint the comings and going of intelligence agents from other nations. Did they stay, for example, in the same hotel as a potential source for that country?

The breach could get expensive for Marriott. Verizon cut what it paid to acquire Yahoo by $350 million after the internet company reported its breach in 2016. And Equifax reported recovery costs of $400 million from its 2017 incident, which affected 148 million people.

Despite months of due diligence, finding out there was a major network attack long after a deal closes is “everybody’s worst-case scenario,” said Jake Olcott, vice president at BitSight, a computer security ratings company in Boston.

Several lawsuits were filed against Marriott on Friday, and investigations were announced by New York’s attorney general, Barbara D. Underwood, and European regulators.

In Europe, where companies can be fined up to 4 percent of global revenue under data protection laws, companies must alert government authorities within 72 hours of a known breach.

Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott “has the potential to trigger the first hefty G.D.P.R. fine,” said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data protection law enacted this year.

Marriott told shareholders that it did not expect the breach would affect the company’s long-term financial prospects. The company’s share price was down more than 5 percent on Friday.

Marriott has also been dealing with strikes by thousands of workers in nine cities, as well as customer complaints about problems with rewards programs after efforts to merge data from Starwood’s rewards program into Marriott’s left the records of millions of customers in limbo.

Lawmakers said the episode was yet another example of why the United States needs data privacy laws that punish companies for failing to keep customers’ information private.

“It is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses,” Senator Mark R. Warner, a Democrat from Virginia, said in a statement.

Privacy advocates said there was no excuse for a breach to go unnoticed for four years.

“They can say all they want that they take security seriously, but they don’t if you can be hacked over a four-year period without noticing,” said Gus Hosein, executive director of Privacy International, a group that supports strong data protection laws.



Source link Nytimes.com

Get more stuff like this

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get more stuff like this
in your inbox

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.