Stolen Mar­riott data may pose many kinds of risks


The data stolen from the Mar­riott ho­tel em­pire in a mas­sive breach is so rich and spe­cific it could be used for espionage, iden­tity theft, rep­u­ta­tional at­tacks and even home bur­glar­ies, se­cu­rity ex­perts say.

Hack­ers stole data on as many as 500 mil­lion guests of for­mer Star­wood chain prop­er­ties over four years in­clud­ing credit card and pass­port num­bers, birth­dates, phone num­bers and ho­tel ar­rival and de­par­ture dates.

It is one of the big­gest data breaches on record. By com­par­i­son, last year’s Equifax hack af­fected more than 145 mil­lion peo­ple. A Tar­get breach in 2013 af­fected more than 41 mil­lion pay­ment card ac­counts and ex­posed con­tact in­for­ma­tion for more than 60 mil­lion cus­tomers.

But the tar­get here – ho­tels where high-stakes busi­ness deals, ro­man­tic trysts and espionage are daily cur­rency – makes the data gath­ered es­pe­cially sen­si­tive.

The af­fected reser­va­tion sys­tem could be ex­tremely en­tic­ing to na­tion-state spies in­ter­ested in the trav­els of mil­i­tary and se­nior gov­ern­ment of­fi­cials, said Jesse Varsa­lone, a Univer­sity of Mary­land cy­ber­se­cu­rity ex­pert.

“There are just so many things you can ex­trap­o­late from peo­ple stay­ing at ho­tels,” he said.

And be­cause the data in­cluded reser­va­tions for fu­ture stays, along with home ad­dresses, bur­glars could learn when some­one wouldn’t be home, said Scott Gris­som of Le­galShield, a provider of le­gal ser­vices.

The af­fected ho­tel brands were op­er­ated by Star­wood be­fore it was ac­quired by Mar­riott in 2016. They in­clude W Ho­tels, St. Regis, Sher­a­ton, Westin, Ele­ment, Aloft, The Lux­ury Col­lec­tion, Le Meri­dien and Four Points. Star­wood­branded time­share prop­er­ties were also af­fected. None of the Mar­riot­tbranded chains were threat­ened.

Email no­ti­fi­ca­tions for those who may have been af­fected be­gin rolling out Fri­day and the full scope of the breach was not im­me­di­ately clear.

Mar­riott was try­ing to de­ter­mine if the pur­loined records in­cluded du­pli­cates, such as a sin­gle per­son stay­ing mul­ti­ple times.

Se­cu­rity an­a­lysts were es­pe­cially alarmed to learn of the breach’s un­de­tected longevity. Mar­riott said it first de­tected un­til Sept. 8 but was un­able to de­ter­mine un­til last week what data had pos­si­bly been ex­posed – be­cause the thieves used en­cryp­tion to re­move it in or­der to avoid de­tec­tion.

Mar­riott said it did not yet know how many credit card num­bers might have been stolen. A spokes­woman said Satur­day that it was not yet able to re­spond to ques­tions such as whether the in­tru­sion and data theft was com­mit­ted by a sin­gle or mul­ti­ple groups.

Cy­ber­se­cu­rity ex­pert An­drei Bary­se­vich of Recorded Fu­ture said Satur­day he be­lieved the breach was fi­nan­cially mo­ti­vated.

A cy­ber­crime gang ex­pert in credit card theft such as the east­ern Eu­ro­pean group known as Fin7 could be a sus­pect, he said, not­ing that a dark web credit card ven­dor re­cently an­nounced that 2.6 mil­lion cards stolen from an un­named ho­tel chain would soon be avail­able to the on­line crim­i­nal un­der­world.

“We will have to wait un­til an of­fi­cial foren­sic re­port, al­though, Mar­riott may never share their find­ings openly,” he said.

Mar­riott said the stolen credit card in­for­ma­tion was en­crypted but the hack­ers may have ob­tained the “two com­po­nents needed to de­crypt the pay­ment card num­bers.” It said it can­not “rule out the pos­si­bil­ity that both were taken.”

For as many as two- thirds of those af­fected, the ex­posed data could in­clude mail­ing ad­dresses, phone num­bers, email ad­dresses and pass­port num­bers. Also dates of birth, gen­der, reser­va­tion dates, ar­rival and de­par­ture times and Star­wood Pre­ferred Guest ac­count in­for­ma­tion.

The breach of per­sonal in­for­ma­tion could put Mar­riott in vi­o­la­tion of new Eu­ro­pean pri­vacy laws, as guests in­cluded Eu­ro­pean trav­el­ers.

Mar­riott set up a web­site and call cen­ter for cus­tomers who be­lieve they are at risk.

The FBI would not say whether it is in­ves­ti­gat­ing, but said in a state­ment that any­one con­tacted by Mar­riott should “take steps to mon­i­tor and safe­guard their per­son­ally iden­ti­fi­able in­for­ma­tion and re­port any sus­pected in­stances of iden­tity theft to the FBI’s In­ter­net Crime Com­plaint Cen­ter at”

Pass­port num­bers have pre­vi­ously been part of a hack, though it’s not com­mon. They were among records on 9.4 mil­lion pas­sen­gers of Hong Kong­based air­line Cathay Pa­cific ob­tained in a breach an­nounced in Oc­to­ber.

Com­bined with names, ad­dresses and other per­sonal in­for­ma­tion, pass­port num­bers are a greater con­cern than stolen credit card num­bers be­cause thieves could use them to open fraud­u­lent ac­counts, said an­a­lyst Ted Ross­man of Cred­

The data pur­loin­ing high­lights just how dan­ger­ous ho­tels can be for peo­ple wor­ried about their pri­vacy.

“Con­sumers have be­come col­lat­eral dam­age,” he said. “And we are all con­sumers.” He ad­vises pro­vid­ing ho­tels with as lit­tle in­for­ma­tion as pos­si­ble when mak­ing reser­va­tions and check­ing in.


Mar­riott sig­nage is dis­played in the lobby of the com­pany’s head­quar­ters in Bethesda, Md.. The data stolen from the Mar­riott ho­tel em­pire could be used for espionage, iden­tity theft, rep­u­ta­tional at­tacks and even home bur­glar­ies.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.