Could be used Marriott’s hacked data poses risks
■ Info on hotel stay to incriminate someone
New York, Dec. 1: Security experts alarmed by the scope of a data breach at the Marriott hotel empire worry that stolen information on specific hotel stays could be used for burglary, espionage or reputational attacks.
Hackers stole information on as many as 500 million guests of the Marriott hotel empire over four years, obtaining credit card and passport numbers and other personal data, including arrival and departure dates.
The crisis quickly emerged as one of the biggest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. ■ As the data included reservations for future stays, along with home addresses, burglars could target homes
■ Hackers’ access to the reservation
A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
Chris Wysopal, chief technology officer with the security firm system could be troubling if the hackers turn out to be, say, nation-state spies
■ They could know where government officials are travelling to
Veracode, said the attack goes beyond traditional credit-card theft, as information about a person’s hotel stay “could be used to incriminate someone.”
Jesse Varsalone, professor of cybersecurity at the University of Maryland, said hackers’ access to the reservation system could be troubling if the hackers turn out to be, say, nationstate spies rather than those out simply for financial gain. That information could mean knowing where government officials are travelling, such as to military bases or conferences, he said.
“There are just so many things you can extrapolate from people staying at hotels,” he said.
And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn’t be home, said Scott Grissom of LegalShield, a provider of legal services.
The affected hotel brands were operated by Starwood before being acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwoodbranded timeshare firms were also affected. None of the Marriott-branded chains were threatened.
Email notifications for those who may have been affected begin rolling out Friday. The full scope of the failure was not immediately clear. Marriott was trying to determine if the records included duplicates, such as a single person staying multiple times. — Agencies