{"id":89960,"date":"2019-01-05T21:42:37","date_gmt":"2019-01-06T02:42:37","guid":{"rendered":"http:\/\/rbach.net\/blog\/index.php\/"},"modified":"2021-12-29T16:06:57","modified_gmt":"2021-12-29T21:06:57","slug":"marriott-data-breach-one-of-biggest-ever","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/marriott-data-breach-one-of-biggest-ever\/","title":{"rendered":"Marriott Data Breach One Of Biggest Ever"},"content":{"rendered":"

Updated<\/strong> July 17, 2019 – The Brits slapped Marriott with a \u00a399m<\/strong> ($124m) <\/span>fine<\/strong> for \u201cinfringements of the GDPR<\/strong>.\u201d The Information Commissioner\u2019s Office<\/a> said that Marriott failed to undertake sufficient due diligence<\/strong> when it bought Starwood, and should also have done more to secure its systems prior to the data breach.<\/p>\n

___<\/p>\n

\"Marriott<\/a>The internet is a dangerous place for data. Hotel chain Marriott<\/strong><\/a> (M<\/a>AR<\/a>) proved that once again. Marriott revealed<\/a> that hackers stole<\/strong> personal information from 500 million<\/strong> Starwood Preferred Guest program participants. The data stolen in the data breach included sensitive personally identifiable information<\/strong> (PII<\/a>).<\/p>\n

\"Marriott<\/a><\/p>\n

Marriott said it got an alert<\/strong> on September 8, 2018, about an attempt to access<\/strong> the Starwood database<\/strong> and enlisted security experts to\u00a0assess the situation. During the investigation,\u00a0Marriott claims to have discovered that the unauthorized access to the Starwood network started in 2014.<\/strong><\/p>\n

Investigators found that an unauthorized party had copied and encrypted information from the database and had taken steps toward removing it. The company was able to decrypt the information on November 19, 2018, and found that the contents were from the Starwood guest reservation database<\/strong>. The hotel chain then waited until November 30, 2018, to tell its customers<\/strong> of the data theft.<\/p>\n

What was lost on the data breach<\/h3>\n

\"personally<\/a>For about 327 million<\/strong> Marriott customers, the compromised information includes some combination of name, address, phone number, email address, passport number<\/strong>, Starwood Preferred Guest (‘SPG’) account information, date of birth<\/strong>, gender, arrival and departure information, reservation date, and communication preferences. Marriott added that the data breach included payment card information<\/strong>. About 170 million<\/strong> impacted Marriott customers only had their names and basic information<\/strong> like address or email address stolen.<\/p>\n

Marriott says that about 20.3 million encrypted passport numbers<\/strong> and approximately 8.6 million encrypted payment cards<\/strong>\u00a0were compromised in the breach.<\/p>\n

\"Chinese<\/a> Several<\/a> sources<\/a> report<\/a> that state-sponsored Chinese<\/strong> hackers<\/a> working for the intelligence services and the military<\/strong> were behind the attack. The stolen data would be an espionage bonanza for government hackers. Sources point out that the Starwood attacks began in 2014, shortly after the attack<\/a> on the U.S. government’s Office of Personnel Management<\/strong> <\/a>(OPM) compromised sensitive data on tens of millions of employees, including application forms for security clearances.<\/p>\n

Sadly, the 500 million records Marriott hack only ranks as the third-largest known data breach to date. This list of fails illustrates, no matter what you\u2019re doing online every time you put your information on the internet, you risk it being stolen<\/strong>.<\/p>\n\n\n\n\n\t\n\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t
Rank<\/th>Company<\/th>Accounts Hacked<\/th>Date of Hack<\/th>\n<\/tr>\n<\/thead>\n
1<\/td>Yahoo<\/td>3 Billion<\/a><\/td>August 2013<\/td>\n<\/tr>\n
2<\/td>River City Media<\/td>1.3 Billion<\/a><\/td>May 2017<\/td>\n<\/tr>\n
3<\/td>Aadhaar<\/td>1.1 Billion<\/a><\/td>January 2018<\/td>\n<\/tr>\n
4<\/td>Marriott<\/td>500 Million<\/a><\/td>2014 - 2018<\/td>\n<\/tr>\n
5<\/td>Yahoo<\/td>500 Million<\/a><\/td>Late 2014<\/td>\n<\/tr>\n
6<\/td>Adult Friend Finder<\/td>412 Milton<\/a><\/td>October 2016<\/td>\n<\/tr>\n
7<\/td>MySpace<\/td>360 Million<\/a><\/td>May 2016<\/td>\n<\/tr>\n
8<\/td>Exactis<\/td>340 Million<\/a><\/td>June 2018<\/td>\n<\/tr>\n
9<\/td>Twitter<\/td>330 Million<\/a><\/td>May 2018<\/td>\n<\/tr>\n
10<\/td>Experian<\/td>200 Million<\/a><\/td>March 2012<\/td>\n<\/tr>\n
11<\/td>Deep Root Analytics<\/td>198 Million<\/a><\/td>June 2017<\/td>\n<\/tr>\n
12<\/td>Adobe<\/td>152 Million<\/a><\/td>October 2013<\/td>\n<\/tr>\n
13<\/td>Under Armor<\/td>150 Million<\/a><\/td>February 2018<\/td>\n<\/tr>\n
14<\/td>Equifax<\/td>145.5 Million<\/a><\/td>July 2017<\/td>\n<\/tr>\n
15<\/td>Ebay<\/td>145 Million<\/a><\/td>May 2014<\/td>\n<\/tr>\n
16<\/td>Heartland Payment Systems<\/td>134 Million<\/a><\/td>May 2008`<\/td>\n<\/tr>\n
17<\/td>Alteryx<\/td>123 Million<\/a><\/td>December 2017<\/td>\n<\/tr>\n
18<\/td>Nametests<\/td>120 Million<\/a><\/td>June 2018<\/td>\n<\/tr>\n
19<\/td>LinkedIn<\/td>117 Million<\/a><\/td>June 2012<\/td>\n<\/tr>\n
20<\/td>Target<\/td>110 Million<\/a><\/td>November 2013<\/td>\n<\/tr>\n
21<\/td>Quora<\/td>100 million<\/a><\/td>November 2018<\/td>\n<\/tr>\n
22<\/td>VK<\/td>100 Million<\/a><\/td>December 2018<\/td>\n<\/tr>\n
23<\/td>Firebase<\/td>100 Million<\/a><\/td>June 2018<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n

rb-<\/em><\/strong><\/p>\n

There is something else fishy here. Reports<\/a> claim that the data was encrypted using AES-128\u00a0<\/a>but not all the stolen data. Attackers were able to steal nearly 20 million<\/a> passport numbers, and\u00a08.6 million encrypted payment cards.<\/em><\/p>\n

Marriott says that the attackers were able to gain access to 5.25 million unencrypted passport numbers and 2,000 unencrypted payment card numbers.<\/em><\/p>\n

I’m sure that regulators (GDPR<\/a>) and lawyers will ask why unencrypted sensitive info like passports and credit card numbers lying around waiting to be stolen?<\/em><\/p>\n

 <\/p>\n

Related articles<\/em><\/h6>\n