Stolen Mar­riott data cre­ates risks of espionage, ID theft

The News & Observer (Sunday) - - Obituaries - BY MICHELLE CHAPMAN, MAE ANDERSON AND FRANK BAJAK

The data stolen from the Mar­riott ho­tel em­pire in a mas­sive breach is so rich and spe­cific it could be used for espionage, iden­tity theft, rep­u­ta­tional at­tacks and even home bur­glar­ies, se­cu­rity ex­perts say.

Hack­ers stole data on as many as 500 mil­lion guests of for­mer Star­wood chain prop­er­ties over four years in­clud­ing credit card and pass­port num­bers, birth­dates, phone num­bers and ho­tel ar­rival and de­par­ture dates.

It is one of the big­gest data breaches on record. By com­par­i­son, last year’s Equifax hack af­fected more than 145 mil­lion peo­ple. A Tar­get breach in 2013 af­fected more than 41 mil­lion pay­ment card ac­counts and ex­posed con­tact in­for­ma­tion for more than 60 mil­lion cus­tomers.

But the tar­get here – ho­tels where high-stakes busi­ness deals, ro­man­tic trysts and espionage are daily cur­rency – makes the data gath­ered es­pe­cially sen­si­tive.

The af­fected reser­va­tion sys­tem could be ex­tremely en­tic­ing to na­tion-state spies in­ter­ested in the trav­els of mil­i­tary and se­nior gov­ern­ment of­fi­cials, said Jesse Varsa­lone, a Univer­sity of Mary­land cy­ber­se­cu­rity ex­pert.

“There are just so many things you can ex­trap­o­late from peo­ple stay­ing at ho­tels,” he said.

And be­cause the data in­cluded reser­va­tions for fu­ture stays, along with home ad­dresses, bur­glars could learn when some­one wouldn’t be home, said Scott Gris­som of Le­galShield, a provider of le­gal ser­vices.

The af­fected ho­tel brands were op­er­ated by Star­wood be­fore it was ac­quired by Mar­riott in 2016. They in­clude W Ho­tels, St. Regis, Sher­a­ton, Westin, Ele­ment, Aloft, The Lux­ury Col­lec­tion, Le Meri­dien and Four Points. Star­wood­branded time­share prop­er­ties were also af­fected. None of the Mar­riot­tbranded chains were threat­ened.

Email no­ti­fi­ca­tions for those who may have been af­fected be­gin rolling out Fri­day and the full scope of the breach was not im­me­di­ately clear.

Mar­riott was try­ing to de­ter­mine if the pur­loined records in­cluded du­pli­cates, such as a sin­gle per­son stay­ing mul­ti­ple times.

Se­cu­rity an­a­lysts were es­pe­cially alarmed to learn of the breach’s un­de­tected longevity. Mar­riott said it was first de­tected Sept. 8 but was un­able to de­ter­mine un­til last week what data had pos­si­bly been ex­posed – be­cause the thieves used en­cryp­tion to re­move it in or­der to avoid de­tec­tion.

Mar­riott said it did not yet know how many credit card num­bers might have been stolen. A spokes­woman said Satur­day that it was not yet able to re­spond to ques­tions such as whether the in­tru­sion and data theft was com­mit­ted by a sin­gle or mul­ti­ple groups.

Cy­ber­se­cu­rity ex­pert An­drei Bary­se­vich of Recorded Fu­ture said Satur­day he be­lieved the breach was fi­nan­cially mo­ti­vated.

A cy­ber­crime gang ex­pert in credit card theft such as the east­ern Eu­ro­pean group known as Fin7 could be a sus­pect, he said, not­ing that a dark web credit card ven­dor re­cently an­nounced that 2.6 mil­lion cards stolen from an un­named ho­tel chain would soon be avail­able to the on­line crim­i­nal un­der­world.

“We will have to wait un­til an of­fi­cial foren­sic re­port, al­though, Mar­riott may never share their find­ings openly,” he said.


The data stolen from the Mar­riott ho­tel em­pire could be used for espionage, iden­tity theft or rep­u­ta­tional at­tacks.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.