Marriott data breached
Hack that began as far back as 2014 could affect up to 500million
The hotel chain asked guests checking in for a treasure trove of personal information: credit card, addresses and sometimes passport numbers. On Friday, consumers learned the risk. Marriott International revealed that hackers had breached its Starwood reservation systems and had stolen the personal data of up to 500 million guests.
The assault stated as far back as 2014, and is one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected 3 billion users accounts.
The intrusion was a reminder that after years of headline-grabbing attacks, the computer networks of big companies are still vulnerable.
The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W hotels, St. Regis, Sheraton, Westin, element, Aloft, The Luxury Collection, le Meridien and Four Points. Starwood-branded time-share properties were also affected. None of the Marriott-branded chains were threatened.
The crisis quickly emerged as one of the biggest data breaches on record.
On a scale of 1 to 10 size breaches. There have only been a few of them of this scale and scope in the last decade," said Chris Wysopal, chief technology officer of Veracode, a security company.
by comparison, last year's Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
An extreme theft
Security analysts were especially alarmed to learn that the breach began in 2014. While such failures often span months, four years is extreme, said Yonatan Striem-Amit, chief technology officer of Cybereason.
It was unclear what hackers could do with the credit card information. Though it was stored in encrypted form, it was possible that hackers also obtained the two components needed to descramble the numbers, the company said.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest accounts information.
"We fell short of what our guests deserve and what we expect of ourselves," CEO Arne Sorenson said in a statement. "We are doing everything we can to support our guests and using lessons learned to be better moving forward."
The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.
Marriott set up a website and call center for customers who believe they are at risk.
The hackers' access to the reservation system could be troubling if they turn out to be, say, nation-state spies rather than con artists simply seeking financial gain, said Jesse Varsalone, associate professor of cybersecurity at the University of Maryland University College.
Reservation information could mean knowing when and where government officials are traveling, to military bases, conferences or other destinations abroad, he said.
"There are just so many things you can extrapolate from people staying at hotels," Varsalone said.
The richness of the data makes the hack unique, Waysopal said.
"Once you know someone's arrival, departure, room preferences," that could be used to incriminate a person or for a reputation attack that "goes beyond your traditional identity theft or credit-card theft," he said.
Data of great concern
It isn't common for passport numbers to be part of a hack, but it is not unheard of, Hong Kong-based airline Cathay Pacific Airways said in October that 9.4 million passengers' information had been breached, including passport numbers. Passport numbers are often requested by hotels outside the U.S. because U.S. driver's licenses are not accepted there as identification. The numbers could be added to full sets of data about a person that had actors sell on the black market, leading to identity theft.
And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport.
Email notifications for those who may have been affected began rolling out Friday.
When the merger was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,7000 properties across the globe, most in North America.
While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.
the names, addresses, passport numbers and other personal information "is of greater concern that the payment info, which was encrypted," analyst Ted Rossman of CreditCards.com said, citing the risk that thieves could open fraudulent accounts.
An internal security tool signaled a potential breach in early September, but the company was unable to decrypt the information that would define what data had possibly been exposed until last week.
The New York attorney general opened an investigation and elected officials were quickly to call for action.
Sen. Mark Warner, D-Va., co-founder of the Senate Cybersecurity Caucus, said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers "shoulder the burden and harms resulting from these lapses."
Things to know about the Marriott hack
Data of up to 500M guests has been stolen; could you be at risk?
NEW YORK - If you stayed at one of Marriott's Starwood hotels in recent years, hackers might have information of your address, credit card and even your passport. Some of this can be used for identity theft, as hackers create bank and other accounts under your name.
Marriott says the breach affected up to 500 million guests, though it's possible the records could include a single person who booked multiple stays. Marriott says the unauthorized access had been taking place since 2014 and was only recently discovered.
How can you tell if you've been affected, and what can you do if you are? Here are some things to know:
The scope
the breach affects only the hotel brands operated by Starwood before Marriott bought it in 2016. The brands include W Hotels, St. Regis, Sheraton, Wetin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties are also affected. Marriott-branded chains aren't affected.
Marriott says the breach affected reservations at Starwood properties through Sept. 10, 2018. That could include reservations made for a future stay.
Am I affected?
Marriott says it began sending emails to affected guests on Friday. Be careful, though, when you receive an email about this breach, as hackers may be using the incident to dupe you into providing passwords or installing malicious software. If you get such an email, it's best to go directly to a website Marriott has set up on this breach: answers.kroll.com. where you can find phone numbers to call.
What should I do?
Marriott is offering a free one-year subscription to a monitoring service, WebWacher. This service monitors websites where stolen information is shared. If your details are found, you'll get an alert. It's available only for guests from the United States, Canada and the United Kingdom. U.S. residents are also eligible for consultation with a fraud specialist and reimbursement for legal and other expenses related to identity theft.
Though Marriott doesn't know yet whether hackers go all the keys to unlock encrypted credit card data, the company says it's quite possible they did. You should review your credit card statements for unauthorized activities.
In the U.S., you can also request free credit reports from Equifax, Experian and TransUnion. These reports may reveal accounts opened under your name.
For about two-thirds of the 500 million Starwood quests affected, hackers may also have the date of birth and gender, which can contribute to identity theft.
Hackers also got passport numbers on this group of guests if the hotel had them. This might be the case with stays outside the U.S., where a U.S. driver's license isn't always good news I that criminals often need the actual passport to do anything with your number.
The data base may have details on future stays, including arrival and departure dates, along with your home address. Burglars could figure out when you'll be away. Ask a friend or neighbor to check your home, or arrange a house sitter.
And the future?
There's not much you can do to prevent such hacks, but you can mitigate the damage. For starters, consider using a credit card rather than a debit card, as credit cards typically offer more protections against losses.
Even if you weren't affected in this breach, request the free credit reports anyhow. After all, they are free. Details are at the Marriott website. Check the website havibeenpwned.com to see if your information has been stolen in other breaches.
And think twice when businesses ask you for personal information. Does the hotel really need your date of birth?
The hotel chain asked guests checking in for a treasure trove of personal information: credit card, addresses and sometimes passport numbers. On Friday, consumers learned the risk. Marriott International revealed that hackers had breached its Starwood reservation systems and had stolen the personal data of up to 500 million guests.
The assault stated as far back as 2014, and is one of the largest known thefts of personal records, second only to a 2013 breach of Yahoo that affected 3 billion users accounts.
The intrusion was a reminder that after years of headline-grabbing attacks, the computer networks of big companies are still vulnerable.
The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W hotels, St. Regis, Sheraton, Westin, element, Aloft, The Luxury Collection, le Meridien and Four Points. Starwood-branded time-share properties were also affected. None of the Marriott-branded chains were threatened.
The crisis quickly emerged as one of the biggest data breaches on record.
On a scale of 1 to 10 size breaches. There have only been a few of them of this scale and scope in the last decade," said Chris Wysopal, chief technology officer of Veracode, a security company.
by comparison, last year's Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
An extreme theft
Security analysts were especially alarmed to learn that the breach began in 2014. While such failures often span months, four years is extreme, said Yonatan Striem-Amit, chief technology officer of Cybereason.
It was unclear what hackers could do with the credit card information. Though it was stored in encrypted form, it was possible that hackers also obtained the two components needed to descramble the numbers, the company said.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest accounts information.
"We fell short of what our guests deserve and what we expect of ourselves," CEO Arne Sorenson said in a statement. "We are doing everything we can to support our guests and using lessons learned to be better moving forward."
The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.
Marriott set up a website and call center for customers who believe they are at risk.
The hackers' access to the reservation system could be troubling if they turn out to be, say, nation-state spies rather than con artists simply seeking financial gain, said Jesse Varsalone, associate professor of cybersecurity at the University of Maryland University College.
Reservation information could mean knowing when and where government officials are traveling, to military bases, conferences or other destinations abroad, he said.
"There are just so many things you can extrapolate from people staying at hotels," Varsalone said.
The richness of the data makes the hack unique, Waysopal said.
"Once you know someone's arrival, departure, room preferences," that could be used to incriminate a person or for a reputation attack that "goes beyond your traditional identity theft or credit-card theft," he said.
Data of great concern
It isn't common for passport numbers to be part of a hack, but it is not unheard of, Hong Kong-based airline Cathay Pacific Airways said in October that 9.4 million passengers' information had been breached, including passport numbers. Passport numbers are often requested by hotels outside the U.S. because U.S. driver's licenses are not accepted there as identification. The numbers could be added to full sets of data about a person that had actors sell on the black market, leading to identity theft.
And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport.
Email notifications for those who may have been affected began rolling out Friday.
When the merger was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,7000 properties across the globe, most in North America.
While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.
the names, addresses, passport numbers and other personal information "is of greater concern that the payment info, which was encrypted," analyst Ted Rossman of CreditCards.com said, citing the risk that thieves could open fraudulent accounts.
An internal security tool signaled a potential breach in early September, but the company was unable to decrypt the information that would define what data had possibly been exposed until last week.
The New York attorney general opened an investigation and elected officials were quickly to call for action.
Sen. Mark Warner, D-Va., co-founder of the Senate Cybersecurity Caucus, said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers "shoulder the burden and harms resulting from these lapses."
Things to know about the Marriott hack
Data of up to 500M guests has been stolen; could you be at risk?
NEW YORK - If you stayed at one of Marriott's Starwood hotels in recent years, hackers might have information of your address, credit card and even your passport. Some of this can be used for identity theft, as hackers create bank and other accounts under your name.
Marriott says the breach affected up to 500 million guests, though it's possible the records could include a single person who booked multiple stays. Marriott says the unauthorized access had been taking place since 2014 and was only recently discovered.
How can you tell if you've been affected, and what can you do if you are? Here are some things to know:
The scope
the breach affects only the hotel brands operated by Starwood before Marriott bought it in 2016. The brands include W Hotels, St. Regis, Sheraton, Wetin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points. Starwood-branded timeshare properties are also affected. Marriott-branded chains aren't affected.
Marriott says the breach affected reservations at Starwood properties through Sept. 10, 2018. That could include reservations made for a future stay.
Am I affected?
Marriott says it began sending emails to affected guests on Friday. Be careful, though, when you receive an email about this breach, as hackers may be using the incident to dupe you into providing passwords or installing malicious software. If you get such an email, it's best to go directly to a website Marriott has set up on this breach: answers.kroll.com. where you can find phone numbers to call.
What should I do?
Marriott is offering a free one-year subscription to a monitoring service, WebWacher. This service monitors websites where stolen information is shared. If your details are found, you'll get an alert. It's available only for guests from the United States, Canada and the United Kingdom. U.S. residents are also eligible for consultation with a fraud specialist and reimbursement for legal and other expenses related to identity theft.
Though Marriott doesn't know yet whether hackers go all the keys to unlock encrypted credit card data, the company says it's quite possible they did. You should review your credit card statements for unauthorized activities.
In the U.S., you can also request free credit reports from Equifax, Experian and TransUnion. These reports may reveal accounts opened under your name.
For about two-thirds of the 500 million Starwood quests affected, hackers may also have the date of birth and gender, which can contribute to identity theft.
Hackers also got passport numbers on this group of guests if the hotel had them. This might be the case with stays outside the U.S., where a U.S. driver's license isn't always good news I that criminals often need the actual passport to do anything with your number.
The data base may have details on future stays, including arrival and departure dates, along with your home address. Burglars could figure out when you'll be away. Ask a friend or neighbor to check your home, or arrange a house sitter.
And the future?
There's not much you can do to prevent such hacks, but you can mitigate the damage. For starters, consider using a credit card rather than a debit card, as credit cards typically offer more protections against losses.
Even if you weren't affected in this breach, request the free credit reports anyhow. After all, they are free. Details are at the Marriott website. Check the website havibeenpwned.com to see if your information has been stolen in other breaches.
And think twice when businesses ask you for personal information. Does the hotel really need your date of birth?
Comments