“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken”
Hotel and lodging chain Marriott International has revealed that it has been the subject of a massive data hack in which threat actors have copied the personal information of over 500 million Marriott guests.
On September 8th of this year Marriott was alerted by an internal security tool that someone had tried to illegally access the guest reservation database of its Starwood customers. Starwood was a separate hotel chain before its acquisition by Marriott International in 2016.
Marriott say that they quickly engaged security experts to analyse the threat and they discovered that there had been unauthorised access to the Starwood data base as far back as 2014.
The threat actor had copied and encrypted information, cyber analysts decrypted the data and identified it as the Starwood guest reservation database.
Marriott International in a press release addressing the issue stated that so far they have identified approximately 500 million guest records and that for: “327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number.”
As well as “Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Some of the account records do contain credit card numbers and payment card expiration dates. Customer payment records were encrypted with (AES-128) the common Advanced Encryption Standard.
However, Marriott note that: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
Tom van de Wiele, security consultant, F-Secure commented in an emailed statement that: “The hack was targeted at a part of the company that Marriott acquired as few years ago, being Starwood.”
“This is a common trend where it’s usually not the main company that is targeted but rather attackers aim to compromise the softer underbelly of the organisation, which are usually IT service providers, contractors and other entities with a high number of interactions within the company.”
“Interactions mean a lot of moving parts to try and control, while other acquisition and fusion efforts are going on. Things like the integration of IT systems and the security thereof take a lot of time between two companies that have to merge requirements, security policies, IT environments, technology stack and company cultures.”
Marriott International have set up support lines to help anyone affected and have contacted all the relevant policing and regulatory bodies in relation to the hack. They have also begun to step up the process of phasing out the Starwood systems.
Aatish Pattni, regional director for UK & Ireland for cybersecurity vendor, Link11 commented in an emailed statement that: “This follows the trend we have seen in the attacks against the aviation industry this year: these, and the related travel and hospitality sectors process and store huge amounts of high-value personal information such as passport numbers, credit-card details and more.
“Although it’s not certain that the stolen data has been used as yet, people who think they may be affected should be wary of any email communications they receive relating to the breach and should not share any other sensitive details by email. Scammers often prey on peoples’ concerns to try and harvest more data so that they can use stolen payment card details or commit other types of fraud.”