Mar­riott se­cu­rity breach ex­posed data of up to 500M guests

Rome News-Tribune - - NEWS - By Michelle Chap­man and Mae An­der­son

NEW YORK — Hack­ers stole in­for­ma­tion on as many as 500 mil­lion guests of the Mar­riott ho­tel em­pire over four years, ob­tain­ing credit card and pass­port num­bers and other per­sonal data, the com­pany said Fri­day as it ac­knowl­edged one of the largest se­cu­rity breaches in his­tory.

The full scope of the fail­ure was not im­me­di­ately clear. Mar­riott was try­ing to de­ter­mine if the records in­cluded du­pli­cates, such as a sin­gle per­son stay­ing mul­ti­ple times.

The af­fected ho­tel brands were op­er­ated by Star­wood be­fore it was ac­quired by Mar­riott in 2016. They in­clude W Ho­tels, St. Regis, Sher­a­ton, Westin, El­e­ment, Aloft, The Lux­ury Col­lec­tion, Le Méri­dien and Four Points. Star­wood-branded time­share prop­er­ties were also af­fected. None of the Mar­riott-branded chains were threat­ened.

The cri­sis quickly emerged as one of the big­gest data breaches on record.

“On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade,” said Chris Wysopal, chief tech­nol­ogy of­fi­cer of Ver­a­code, a se­cu­rity com­pany.

By com­par­i­son, last year’s Equifax hack af­fected more than 145 mil­lion peo­ple. A Tar­get breach in 2013 af­fected more than 41 mil­lion pay­ment card ac­counts and ex­posed con­tact in­for­ma­tion for more than 60 mil­lion cus­tomers.

Se­cu­rity an­a­lysts were es­pe­cially alarmed to learn that the breach be­gan in 2014. While such fail­ures of­ten span months, four years is ex­treme, said Yonatan Striem-Amit, chief tech­nol­ogy of­fi­cer of Cy­berea­son.

It was un­clear what hack­ers could do with the credit card in­for­ma­tion. Though it was stored in en­crypted form, it was pos­si­ble that hack­ers also ob­tained the two com­po­nents needed to de­scram­ble the num­bers, the com­pany said.

For as many as two-thirds of those af­fected, the ex­posed data could in­clude mail­ing ad­dresses, phone num­bers, email ad­dresses and pass- port num­bers. Also in­cluded might be dates of birth, gen­der, reser­va­tion dates, ar­rival and de­par­ture times and Star­wood Pre­ferred Guest ac­count in­for­ma­tion.

“We fell short of what our guests de­serve and what we ex­pect of our­selves,” CEO Arne Soren­son said in a state­ment. “We are do­ing ev­ery­thing we can to sup­port our guests and us­ing lessons learned to be bet­ter mov­ing for­ward.”

/ AP-Danny John­ston, File

A man works on a new Mar­riott sign in front of the for­mer Pe­abody Ho­tel in Lit­tle Rock, Ark. Mar­riott says the in­for­ma­tion of up to 500 mil­lion guests at its Star­wood ho­tels has been com­pro­mised. It said Fri­day that there was a breach of its data­base in Septem­ber, but also found out through an in­ves­ti­ga­tion that there has been unau­tho­rized ac­cess to the Star­wood net­work since 2014.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.