Updated July 17, 2019 – The Brits slapped Marriott with a £99m ($124m) fine for “infringements of the GDPR.” The Information Commissioner’s Office said that Marriott failed to undertake sufficient due diligence when it bought Starwood, and should also have done more to secure its systems prior to the data breach.
___
The internet is a dangerous place for data. Hotel chain Marriott (MAR) proved that once again. Marriott revealed that hackers stole personal information from 500 million Starwood Preferred Guest program participants. The data stolen in the data breach included sensitive personally identifiable information (PII).
Marriott said it got an alert on September 8, 2018, about an attempt to access the Starwood database and enlisted security experts to assess the situation. During the investigation, Marriott claims to have discovered that the unauthorized access to the Starwood network started in 2014.
Investigators found that an unauthorized party had copied and encrypted information from the database and had taken steps toward removing it. The company was able to decrypt the information on November 19, 2018, and found that the contents were from the Starwood guest reservation database. The hotel chain then waited until November 30, 2018, to tell its customers of the data theft.
What was lost on the data breach
For about 327 million Marriott customers, the compromised information includes some combination of name, address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. Marriott added that the data breach included payment card information. About 170 million impacted Marriott customers only had their names and basic information like address or email address stolen.
Marriott says that about 20.3 million encrypted passport numbers and approximately 8.6 million encrypted payment cards were compromised in the breach.
Several sources report that state-sponsored Chinese hackers working for the intelligence services and the military were behind the attack. The stolen data would be an espionage bonanza for government hackers. Sources point out that the Starwood attacks began in 2014, shortly after the attack on the U.S. government’s Office of Personnel Management (OPM) compromised sensitive data on tens of millions of employees, including application forms for security clearances.
Sadly, the 500 million records Marriott hack only ranks as the third-largest known data breach to date. This list of fails illustrates, no matter what you’re doing online every time you put your information on the internet, you risk it being stolen.
| Rank | Company | Accounts Hacked | Date of Hack |
|---|---|---|---|
| 1 | Yahoo | 3 Billion | August 2013 |
| 2 | River City Media | 1.3 Billion | May 2017 |
| 3 | Aadhaar | 1.1 Billion | January 2018 |
| 4 | Marriott | 500 Million | 2014 - 2018 |
| 5 | Yahoo | 500 Million | Late 2014 |
| 6 | Adult Friend Finder | 412 Milton | October 2016 |
| 7 | MySpace | 360 Million | May 2016 |
| 8 | Exactis | 340 Million | June 2018 |
| 9 | 330 Million | May 2018 | |
| 10 | Experian | 200 Million | March 2012 |
| 11 | Deep Root Analytics | 198 Million | June 2017 |
| 12 | Adobe | 152 Million | October 2013 |
| 13 | Under Armor | 150 Million | February 2018 |
| 14 | Equifax | 145.5 Million | July 2017 |
| 15 | Ebay | 145 Million | May 2014 |
| 16 | Heartland Payment Systems | 134 Million | May 2008` |
| 17 | Alteryx | 123 Million | December 2017 |
| 18 | Nametests | 120 Million | June 2018 |
| 19 | 117 Million | June 2012 | |
| 20 | Target | 110 Million | November 2013 |
| 21 | Quora | 100 million | November 2018 |
| 22 | VK | 100 Million | December 2018 |
| 23 | Firebase | 100 Million | June 2018 |
rb-
There is something else fishy here. Reports claim that the data was encrypted using AES-128 but not all the stolen data. Attackers were able to steal nearly 20 million passport numbers, and 8.6 million encrypted payment cards.
Marriott says that the attackers were able to gain access to 5.25 million unencrypted passport numbers and 2,000 unencrypted payment card numbers.
I’m sure that regulators (GDPR) and lawyers will ask why unencrypted sensitive info like passports and credit card numbers lying around waiting to be stolen?
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.