One of the year’s biggest hacks has just been revealed. Hotel chain giant Marriott admitted 500 million guests had been hit by an attack that dates back at least four years.
The company said Friday the information was taken from the Starwood guest reservation database. It amounts to a goldmine of data for any would-be identity thief, or a government surveillance operative.
For 327 million, the information included “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.”
Marriott said that for some the lost data also included payment card numbers and expiration dates. Card numbers were encrypted using an algorithm known as Advanced Encryption Standard (AES-128). But, Marriott admitted, “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
Law enforcement has been informed. Arne Sorenson, Marriott’s president and chief executive officer apologized, saying, “We fell short of what our guests deserve and what we expect of ourselves.”
Affected customers have been offered a one-year subscription to WebWatcher, which will alert them if their personal data appears online. And a website, info.starwoodhotels.com, has been set up for any questions guests have.
Marriott was alerted to the breach on September 8 by its IT security systems. The company later discovered that hackers had been sitting on the Starwood network since 2014.
It transpired cybercriminals had copied and encrypted information from the Starwood database. Days after former presidential candidate Mitt Romney had announced he was leaving the Marriott board after he won a Senate seat, on November 19, Marriott decrypted the copied data and discovered just what had been taken.
The breach appears to affect customers across the world and will likely impact populations from over a hundred countries. Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
In a filing with the SEC, Marriott said it was “premature to estimate the financial impact to the company.”
It isn’t the first time Starwood computers have been hacked. Back in 2015, the company said its point-of-sale systems had been hit with a strain of malware. That was just days after its acquisition by Marriott.
Myriad hotel chains have been breached in recent years. They include attacks on Donald Trump’s hotel group, Hyatt and Kimpton amongst many others.
Alan Woodward, encryption expert and professor at the University of Surrey, raised concerns around Marriott’s statement on the security of credit card data. “Reading between the lines it’s almost as if they were storing the AES [encryption] keys somewhere that may also have been compromised, and hence the encrypted details would be decrypted by the hackers,” Woodward told Forbes.
“These keys are normally keep well away from the encrypted data for obvious reasons. If the hackers were easily able to obtain both it negates the whole point of having the card details encrypted in the first place.”
Marriott hadn’t responded to requests for comment on those security mechanisms.
It also hadn’t responded to an inquiry regarding two sales of Marriott stock that were announced earlier in November, before the discovery of what data was taken, but long after the initial breach was uncovered.
Marriott could be facing problems with New York law enforcement too. As per a comment from the New York Attorney General’s office: “We’ve opened an investigation into the Marriott data breach. Additionally, under New York law, Marriott was required to provide notification to our office upon discovering the breach; they have not done so as of yet.”