Es­pi­onage, ID theft? Myr­iad risks from stolen Mar­riott data

The Bradenton Herald (Sunday) - - Nation & World - BY MICHELLE CHAPMAN, MAE ANDER­SON AND FRANK BAJAK

NEW YORK

The data stolen from the Mar­riott ho­tel em­pire in a mas­sive breach is so rich and spe­cific it could be used for es­pi­onage, iden­tity theft, rep­u­ta­tional at­tacks and even home bur­glar­ies, se­cu­rity ex­perts say.

Hack­ers stole data on as many as 500 mil­lion guests of for­mer Star­wood chain prop­er­ties over four years in­clud­ing credit card and pass­port num­bers, birth­dates, phone num­bers and ho­tel ar­rival and de­par­ture dates.

It is one of the big­gest data breaches on record. By com­par­i­son, last year’s Equifax hack af­fected more than 145 mil­lion peo­ple. A Tar­get breach in 2013 af­fected more than 41 mil­lion pay­ment card ac­counts and ex­posed con­tact in­for­ma­tion for more than 60 mil­lion cus­tomers.

But the tar­get here – ho­tels where high-stakes busi­ness deals, ro­man­tic trysts and es­pi­onage are daily cur­rency – makes the data gath­ered es­pe­cially sen­si­tive.

The af­fected reser­va­tion sys­tem could be ex­tremely en­tic­ing to na­tion-state spies in­ter­ested in the trav­els of mil­i­tary and se­nior gov­ern­ment of­fi­cials, said Jesse Varsa­lone, a Uni­ver­sity of Mary­land cy­ber­se­cu­rity ex­pert.

“There are just so many things you can ex­trap­o­late from peo­ple stay­ing at ho­tels,” he said.

And be­cause the data in­cluded reser­va­tions for fu­ture stays, along with home ad­dresses, bur­glars could learn when some­one wouldn’t be home, said Scott Gris­som of Le­gal-Shield, a provider of le­gal ser­vices.

The af­fected ho­tel brands were op­er­ated by Star­wood be­fore it was ac­quired by Mar­riott in 2016. They in­clude W Ho­tels, St. Regis, Sher­a­ton, Westin, Ele­ment, Aloft, The Lux­ury Col­lec­tion, Le Meri­dien and

Four Points. Star­wood-branded time­share prop­er­ties were also af­fected. None of the Mar­riott-branded chains were threat­ened.

Email no­ti­fi­ca­tions for those who may have been af­fected be­gin rolling out Fri­day and the full scope of the breach was not im­me­di­ately clear.

Mar­riott was try­ing to de­ter­mine if the pur­loined records in­cluded du­pli­cates, such as a sin­gle per­son stay­ing mul­ti­ple times.

Se­cu­rity an­a­lysts were es­pe­cially alarmed to learn of the breach’s un­de­tected longevity. Mar­riott said it first de­tected un­til Sept. 8 but was un­able to de­ter­mine un­til last week what data had pos­si­bly been ex­posed – be­cause the thieves used en­cryp­tion to re­move it in or­der to avoid de­tec­tion.

Mar­riott said it did not yet know how many credit card num­bers might have been stolen. A spokes­woman said Sat­ur­day that it was not yet able to re­spond to ques­tions such as whether the in­tru­sion and data theft was com­mit­ted by a sin­gle or mul­ti­ple groups.

Cy­ber­se­cu­rity ex­pert An­drei Bary­se­vich of Recorded Fu­ture said Sat­ur­day he be­lieved the breach was fi­nan­cially mo­ti­vated.

A cy­ber­crime gang ex­pert in credit card theft such as the eastern Euro­pean group known as Fin7 could be a sus­pect, he said, not­ing that a dark web credit card ven­dor re­cently an­nounced that 2.6 mil­lion cards stolen from an un­named ho­tel chain would soon be avail­able to the on­line crim­i­nal un­der­world.

“We will have to wait un­til an of­fi­cial foren­sic re­port, al­though, Mar­riott may never share their find­ings openly,” he said.

Mar­riott said the stolen credit card in­for­ma­tion was en­crypted but the hack­ers may have ob­tained the “two com­po­nents needed to de­crypt the pay­ment card num­bers.” It said it can­not “rule out the pos­si­bil­ity that both were taken.”

For as many as twothirds of those af­fected, the ex­posed data could in­clude mail­ing ad­dresses, phone num­bers, email ad­dresses and pass­port num­bers. Also dates of birth, gen­der, reser­va­tion dates, ar­rival and de­par­ture times and Star­wood Pre­ferred Guest ac­count in­for­ma­tion.

The breach of per­sonal in­for­ma­tion could put Mar­riott in vi­o­la­tion of new Euro­pean pri­vacy laws, as guests in­cluded Euro­pean trav­el­ers.

Mar­riott set up a web­site and call cen­ter for cus­tomers who be­lieve they are at risk.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.