Mar­riott breach ex­poses data of up to 500 mil­lion

Cri­sis emerges as one of the big­gest hacks on record

Daily Southtown (Sunday) - - BUSINESS - By Michelle Chapman and Mae Anderson

NEW YORK — Hack­ers stole in­for­ma­tion on as many as 500 mil­lion guests of the Mar­riott ho­tel em­pire over four years, ob­tain­ing credit card and pass­port num­bers and other per­sonal data, the com­pany said Fri­day as it ac­knowl­edged one of the largest se­cu­rity breaches in his­tory.

The full scope of the fail­ure­was not clear. Mar­riottwas try­ing to de­ter­mine if the records in­cluded du­pli­cates, such as a sin­gle per­son stay­ing mul­ti­ple times.

It was also un­clear what hack­ers could do with the credit card in­for­ma­tion. Though it was stored in en­crypted form, it­was pos­si­ble that hack­ers also ob­tained the two com­po­nents needed to de­scram­ble the num­bers, the com­pany said.

The cri­sis emerged as one of the largest data breaches on record. By com­par­i­son, last year’s Equifax hack af­fect­ed­more than 145 mil­lion peo­ple.

A Tar­get breach in 2013 af­fected more than 41 mil­lion pay­ment card ac­counts and ex­posed con­tact in­for­ma­tion for more than 60 mil­lion cus­tomers.

Se­cu­rity an­a­lysts were alarmed to learn that the breach be­gan in 2014. While such fail­ures of­ten span months, four years is ex­treme, said Yonatan Striem-Amit, chief tech­nol­ogy of­fi­cer of Cy­berea­son.

The af­fected ho­tel brands were op­er­ated by Star­wood be­fore it was ac­quired by Mar­riott in 2016. They in­clude W Ho­tels, St. Regis, Sher­a­ton, Westin, Ele­ment, Aloft, The Lux­ury Col­lec­tion, Le Meri­dien and Four Points.

Star­wood-branded time­share prop­er­ties were also in­cluded.

None of the Mar­riot­tbranded chains were threat­ened.

For as many as twothirds of those af­fected, the ex­posed data could in­clude mail­ing ad­dresses, phone num­bers, email ad­dresses and pass­port num­bers. Also in­cluded might be dates of birth, gen­der, reser­va­tion dates, ar­rival and de­par­ture times, and Star­wood Pre­ferred Guest ac­count in­for­ma­tion.

“We fell short of what our guests de­serve and what we ex­pect of our­selves,” CEO Arne Soren­son said.

Mar­riott set up aweb­site and call cen­ter for cus­tomers who be­lieve they are at risk.

The stolen in­for­ma­tion could be used by crim­i­nals to cre­ate fraud­u­lent bank ac­counts.

It isn’t com­mon for pass­port num­bers to be part of a hack, but it is not un­heard of. Hong Kong-based air­line Cathay Pa­cific Air­ways said in Oc­to­ber that 9.4 mil­lion pas­sen­gers’ in­for­ma­tion had been breached, in­clud­ing pass­port num­bers.

Pass­port num­bers are of­ten re­quested by ho­tels out­side the United States be­cause U.S. driver’s li­censes are not ac­cepted there as iden­ti­fi­ca­tion.

And while the credit card in­dus­try can can­cel ac­counts and is­sue new cards within days, it is a much more dif­fi­cult process, of­ten steeped in gov­ern­ment bu­reau­cracy, to get a new pass­port.

But one fac­tor about pass­ports is that they are of­ten re­quired to be seen in per­son, said Ryan Wilk of NuData Se­cu­rity.

“It’s a highly se­cure doc­u­ment with a lot of se­cu­rity fea­tures,” he said.

Email no­ti­fi­ca­tions for those who may have been af­fected were ex­pected to be­gin rolling out Fri­day.

Mar­riott, based in Bethesda, Md., said in a reg­u­la­tory fil­ing that it was pre­ma­ture to es­ti­mate what fi­nan­cial im­pact the breach will have on the com­pany. It noted that it does have cy­ber in­sur­ance.

Elected of­fi­cials were quick to call for ac­tion.

The New York at­tor­ney gen­eral opened an in­ves­ti­ga­tion.

Vir­ginia Sen. Mark Warner, co-founder of the Se­nate cy­ber­se­cu­rity cau­cus and the top Demo­crat on the Se­nate In­tel­li­gence Com­mit­tee, said that the U.S. needs laws that will limit the data that com­pa­nies can col­lect on their cus­tomers.

SCOTT OLSON/GETTY

Mar­riott said Fri­day that its Star­wood data­base was hacked, com­pro­mis­ing the pri­vate data of cus­tomers.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.