In one of the biggest hacks of the year, the Marriott Hotel chain giant admitted that 500 million of its customers had been hit by an attack that took place close to four years ago. The company made an announcement that this information had been extracted from the Starwood reservation database. This equates to a gold mine of data for any potential identity thief or for surveillance authorities in the government.
For close to 327 million of these customers, the information stolen comprised of a combination of names, mailing addresses, phone numbers, email addresses, passport numbers, account information of Starwood Preferred Guests, date of birth, gender details, arrival, and departure information, as well as reservation dates and communication preferences.
Representatives from the Marriott also added that some of the lost data also included payment card numbers as well as expiration dates. Card numbers were supposed to be encrypted using an advanced algorithm known as the Advanced Encryption Standard or AES-128. Marriott also admitted that although there are two components that have to be decrypted in order to access the payment card numbers, they were not ruling out the possibility that both the components were stolen.
Marriott’s president and chief executive officer, Arne Sorenson made a statement apologizing for the Marriott hotel chain’s lax cybersecurity measures and also added that law enforcement officials were informed and they were doing everything possible to mitigate the potential repercussions that the data breach could have for all the victims.
The Marriott hotel chain also added that affected customers were offered a one-year subscription to WebWatcher, which will send them alerts upon their personal data appearing online. A special website had also been set up to cater to the needs of all the affected guests.
How Things Went Down
On September 8, the Marriott hotel chain was alerted to the hacking by its IT security systems. It discovered later that hackers had started prying on the Starwood network back in 2014. It soon became apparent that cybercriminals had copied and also encrypted critical information from the so-called Starwood database. Only a few days after the former presidential candidate Mitt Romney had announced that he would be vacating his position on the Marriott board after he won a Senate seat, Marriott authorities began decrypting the data which had been stolen and discovered exactly what information had been compromised.
Millions of customers from over a hundred countries are said to have been affected by the breach. In a report to the SEC, Marriot authorities said that it was too early to estimate the exact financial impact that the breach had on the company. This is not the first time that Starwood computers have been hacked. In 2015, the company stated that its point-of-sale systems had been contaminated with malware. It was only a few days after it was acquired by Marriott.
Skepticism about the quality of encryption
Experts have raised concerns about Marriot’s statements, saying that the AES keys, which are encryption information are almost always stored in databases, meaning that these too could have been compromised. Traditionally, these keys are said to be kept remote from encrypted data for obvious reasons. This could mean that Marriot isn’t disclosing the exact extent and scale of impact of the attack. Marriott authorities also did not respond to inquiries into how they formulate these security mechanisms and exact details of their cybersecurity measures. Nor did they responded to the many requests for details regarding two Marriott share sales announced earlier in November, prior to the discovery of the collected data, but long after the discovery of the original breach. Marriott could also face problems related to law enforcement in New York. According to a recent statement by the Attorney General’s Office in New York, an investigation into the Marriot data breach was initiated to determine the circumstances of the whole hacking.