Heavy scrutiny in Marriott breach
Guests’ credit card numbers among data compromised
A security breach going back as long as four years inside the Marriott hotel empire compromised the information of as many as 500 million guests worldwide, exposing their credit card numbers, passport numbers and birth dates.
The compromised system, which customers began receiving notifications about on Friday, is one of the largest data breaches of the digital era, easily dwarfing the Equifax hack last year. Exposed information could include credit card numbers
and expiration dates, mailing addresses, phone numbers, email addresses and passport numbers.
The security failure is drawing the scrutiny of government watchdogs all over the country, including an investigation by state Attorney General Barbara Underwood.
“Under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet,” said an office spokesperson.
The estimated reach of the breach includes guests who made a reservation at one of the affected hotels as well as those who booked multiple stays, according to Marriott.
The company says that unauthorized access to data at former Starwood hotels, which the company acquired two years ago, has been taking place since 2014.
“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne
We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.” Arne Sorenson, CEO of Marriott
Sorenson said in a statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
None of the Marriott-branded chains were threatened. The affected hotel brands include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood branded timeshare properties are also included.
Marriott has had a rocky process of merging its computer system with Starwood computers. Members of both loyalty programs have complained about missing points, glitches with stays crediting to their accounts and problems with free nights earned from credit cards not appearing.
An internal security tool signaled a potential breach in early September, but the company was unable to decrypt the information that would define what data had possibly been exposed until last week.
Under New York law, a company is required to report a data breach to consumers “in the most expedient time possible.” The attorney general’s office is allowed to pursue damages to consumers and civil penalties if the company “knowingly” violated the law or acted recklessly.
State Sen. David Carlucci, a Rockland County Democrat, cited this breach as the latest sign for New York to beef up and modernize its cybersecurity laws. He is pushing legislation that would expand reporting requirements for companies.
In response to the Equifax hack, New York passed legislation prohibiting consumer credit agencies from charging any fees relating to freezing or unfreezing credit, which is a common step for preventing stolen data from being used. The federal government took similar steps relating to credit freezing fees.
U.S. Sen. Mark Warner, a Virginia Democrat and co-founder of the Senate cybersecurity caucus, said the country needs laws that will limit the data companies can collect on its customers.
“It is past time we en act data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses,” Warner said in a prepared statement.
While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.
“The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted,” said analyst Ted Rossman of Creditcards.com. “People should be concerned that criminals could
use this info to open fraudulent accounts in their names.”
It isn’t common for passport numbers to be part of a hack, but it is not unheard of. Hong Kongbased airline Cathay Pacific Airways said in October that 9.4 million passengers’ information had been breached, including passport numbers.
Passport numbers can be added to full sets of data about a person that bad actors sell on the black market, leading to identity theft. And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport.
But one redeeming factor about passports is that they are often required to be seen in person, said Ryan Wilk of Nudata Security. “It’s a highly secure document with a lot of security features,” he said.
Marriott has setup a website, https://answers.kroll.com, to address any questions customers have.