MAR­RIOTT SE­CU­RITY BREACH EX­POSED DATA OF UP TO 500M GUESTS

Apple Magazine - - Summary -

Hack­ers stole in­for­ma­tion on as many as 500 mil­lion guests of the Mar­riott ho­tel em­pire over four years, ob­tain­ing credit card and pass­port num­bers and other per­sonal data, the com­pany said last week as it ac­knowl­edged one of the largest se­cu­rity breaches in his­tory.

The full scope of the fail­ure was not im­me­di­ately clear. Mar­riott was try­ing to de­ter­mine if the records in­cluded du­pli­cates, such as a sin­gle per­son stay­ing mul­ti­ple times.

The af­fected ho­tel brands were op­er­ated by Star­wood be­fore it was ac­quired by Mar­riott in 2016. They in­clude W Ho­tels, St. Regis, Sher­a­ton, Westin, El­e­ment, Aloft, The Lux­ury Col­lec­tion, Le Méri­dien and Four Points. Star­wood-branded time­share prop­er­ties were also af­fected. None of the Mar­riott-branded chains were threat­ened.

“On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade,” said Chris Wysopal, chief tech­nol­ogy of­fi­cer of Ver­a­code, a se­cu­rity com­pany.

By com­par­i­son, last year’s Equifax hack af­fected more than 145 mil­lion peo­ple. A Tar­get breach in 2013 af­fected more than 41 mil­lion pay­ment card ac­counts and ex­posed con­tact in­for­ma­tion for more than 60 mil­lion cus­tomers.

Se­cu­rity an­a­lysts were es­pe­cially alarmed to learn that the breach be­gan in 2014. While such fail­ures of­ten span months, four years is ex­treme, said Yonatan Striem-Amit, chief tech­nol­ogy of­fi­cer of Cy­berea­son.

It was un­clear what hack­ers could do with the credit card in­for­ma­tion. Though it was stored in en­crypted form, it was pos­si­ble that hack­ers also ob­tained the two com­po­nents needed to de­scram­ble the num­bers, the com­pany said.

For as many as two-thirds of those af­fected, the ex­posed data could in­clude mail­ing ad­dresses, phone num­bers, email ad­dresses and pass­port num­bers. Also in­cluded might be dates of birth, gen­der, reser­va­tion dates, ar­rival and de­par­ture times and Star­wood Pre­ferred Guest ac­count in­for­ma­tion.

“We fell short of what our guests de­serve and what we ex­pect of our­selves,” CEO Arne Soren­son said in a state­ment. “We are do­ing ev­ery­thing we can to sup­port our guests and us­ing les­sons learned to be bet­ter mov­ing for­ward.”

The breach of per­sonal in­for­ma­tion could put Mar­riott in vi­o­la­tion of new Euro­pean pri­vacy laws, as guests in­cluded Euro­pean trav­el­ers.

Mar­riott set up a web­site and call cen­ter for cus­tomers who be­lieve they are at risk.

The hack­ers’ ac­cess to the reser­va­tion sys­tem could be trou­bling if they turn out to be, say, na­tion-state spies rather than con artists sim­ply seek­ing fi­nan­cial gain, said Jesse Varsa­lone, as­so­ciate pro­fes­sor of cy­ber­se­cu­rity at the Uni­ver­sity of Mary­land Uni­ver­sity Col­lege.

Reser­va­tion in­for­ma­tion could mean know­ing when and where gov­ern­ment of­fi­cials are trav­el­ing, to mil­i­tary bases, con­fer­ences or other des­ti­na­tions abroad, he said.

“There are just so many things you can ex­trap­o­late from peo­ple stay­ing at ho­tels,” Varsa­lone said.

The rich­ness of the data makes the hack unique, Wysopal said.

“Once you know some­one’s ar­rival, de­par­ture, room pref­er­ences,” that could be used to in­crim­i­nate a per­son or for a rep­u­ta­tion at­tack that “goes be­yond your tra­di­tional iden­tity theft or credit-card theft,” he said.

It isn’t com­mon for pass­port num­bers to be part of a hack, but it is not un­heard of. Hong Kong-based air­line Cathay Pa­cific Air­ways said in Oc­to­ber that 9.4 mil­lion pas­sen­gers’ in­for­ma­tion had been breached, in­clud­ing pass­port num­bers.

Pass­port num­bers are of­ten re­quested by ho­tels out­side the U.S. be­cause U.S. driver’s li­censes are not ac­cepted there as iden­ti­fi­ca­tion. The num­bers could be added to full sets of data about a per­son that bad ac­tors sell on the black mar­ket, lead­ing to iden­tity theft.

And while the credit card in­dus­try can can­cel ac­counts and is­sue new cards within days, it is a much more dif­fi­cult process, of­ten steeped in gov­ern­ment bu­reau­cracy, to get a new pass­port.

But one re­deem­ing fac­tor about pass­ports is that they are of­ten re­quired to be seen in per­son, said Ryan Wilk of NuData Se­cu­rity. “It’s a highly se­cure doc­u­ment with a lot of se­cu­rity fea­tures,” he said.

Email no­ti­fi­ca­tions for those who may have been af­fected be­gin rolling out.

When the merger was first an­nounced in 2015, Star­wood had 21 mil­lion peo­ple in its loy­alty pro­gram. The com­pany man­ages more than 6,700 prop­er­ties across the globe, most in North Amer­ica.

While the first im­pulse for those po­ten­tially af­fected by the breach could be to check credit cards, se­cu­rity ex­perts say other in­for­ma­tion in the data­base could be more dam­ag­ing.

The names, ad­dresses, pass­port num­bers and other per­sonal in­for­ma­tion “is of greater con­cern than the pay­ment info, which was en­crypted,” an­a­lyst Ted Ross­man of Cred­itCards.com said, cit­ing the risk that thieves could open fraud­u­lent ac­counts.

An in­ter­nal se­cu­rity tool sig­naled a po­ten­tial breach in early Septem­ber, but the com­pany was un­able to de­crypt the in­for­ma­tion that would de­fine what data had pos­si­bly been ex­posed un­til last week.

Mar­riott, based in Bethesda, Mary­land, said in a reg­u­la­tory fil­ing that it was pre­ma­ture to es­ti­mate what fi­nan­cial im­pact the breach will have on the com­pany. It noted that it does have cy­ber in­sur­ance, and is work­ing with its in­sur­ance car­ri­ers to as­sess cov­er­age.

Elected of­fi­cials were quick to call for ac­tion.

The New York at­tor­ney gen­eral opened an in­ves­ti­ga­tion. Vir­ginia Sen. Mark Warner, co­founder of the Se­nate Cy­ber­se­cu­rity Cau­cus, said the U.S. needs laws that limit the data com­pa­nies can col­lect on cus­tomers and en­sure that com­pa­nies ac­count for se­cu­rity costs rather than mak­ing con­sumers “shoul­der the bur­den and harms re­sult­ing from these lapses.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.