Marriott Says Up To 500 Million Breach Also Includes Trump Hotels (#GotBitcoin?)
Hacked information includes passport numbers, payment-card numbers in addition to addresses, travel details.
Hilton Worldwide Holdings Inc. and Trump Hotels have also said hackers had stolen information.
Marriott International Inc., the world’s largest hotel company, said it identified a data breach in its Starwood reservation system that may have exposed personal information of up to 500 million guests.
For roughly two-thirds of the guests who were possibly affected, an unauthorized party may have had access to names, addresses, phone numbers, email addresses, passport numbers, and travel details, Marriott said Friday.
In some cases, the company said, the information also included payment-card information. Marriott said payment-card numbers are usually encrypted, though it could not rule out that card information was stolen.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” Marriott Chief Executive Arne Sorenson said in a news release.
The breach only impacted Starwood hotel brands. The Starwood reservation system still exists, a Marriott spokeswoman said. However, by the end of the year Marriott will have one reservation system, she said.
Marriott said its internal security tool alerted it of a potential breach to its U.S. database on Sept. 8. After an investigation, the company found that the Starwood guest database may have been compromised since 2014, which precedes Marriott’s acquisition of Starwood. The database contained information for guests who made reservations on or before Sept. 10.
The company found the unauthorized party had copied and encrypted information from the database, and had attempted to steal it. However, it wasn’t until Nov. 19 that Marriott was able to decrypt the information to find out what the contents of the breach were.
Starwood’s brands include Sheraton, W Hotels, Westin, Le Méridien, Four Points by Sheraton, Aloft, St. Regis, Element, The Luxury Collection, Tribute Portfolio, and Design Hotels.
Marriott said it has been working with law enforcement and regulatory authorities regarding the breach.
A spokeswoman for Federal Bureau of Investigation said the FBI is tracking the situation.
Hotel chains have been hit by a wave of data breaches in recent years, often with hackers trying to steal customer credit- and debit-card information.
In 2015, Starwood said hackers had stolen payment-card information during a data breach that lasted nearly eight months at 54 locations.
The Marriott hack is one of the largest data breaches ever disclosed, measured by the number of individuals potentially affected.
Only a 2013 breach of Yahoo AABA that affected three billion people, nearly the entirety of of Yahoo’s user base, may be bigger, security experts said. Another hack of Yahoo that occurred in 2014 has an impact on roughly 500 million people.
Hackers often root through computer networks for years without detection. Remaining hidden for so long—Marriott said the intrusion dated back to 2014—can make investigating a breach more difficult, as companies often don’t retain their full history of systems and network-traffic logs, said Blake Darche, co-founder and chief security officer at the cybersecurity company Area 1 Security.
The compromise of passport information could be the most significant aspect of the Marriott breach, particularly if it was carried out by a state-sponsored actor for intelligence purposes, said Mr. Darche, a former official with National Security Agency. “It’s super useful for tracking people,” he said.
The company said it would begin on Friday notifying affected guests whose email addresses were in the Starwood database.
It has set up a website and call center to answer questions about the breach. The company is also providing guests with the chance to enroll in WebWatcher, a service that monitors internet sites where personal information is shared, for free for one year.
“We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,” Mr. Sorenson said.
Marriott completed the $13.6 billion acquisition of Starwood Hotels & Resorts in 2016. Marriott has had problems since the acquisition with integrating its technology systems with those from Starwood. Travelers have reported problems with hotel stays being credited to loyalty accounts and have complained about customer service not helping when issued were identified.
In a Friday regulatory filing, Bethesda, Md.-based Marriott said that it couldn’t yet estimate the financial impact of the data breach. The company, which carries cyber insurance, said it is working with its insurance carriers to assess coverage and it will disclose costs later.
“The company does not believe this incident will impact its long-term financial health,” Marriott said in the filing.
Marriott has more than 6,700 properties under 30 hotel brands, including the Ritz-Carlton and Renaissance.
Marriott’s Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say
Attack in 2015 could have prompted hotel operator to investigate and find hackers who lurked in its computer system, experts say.
Marriott International Inc. says it responded quickly when it learned in recent weeks of a colossal theft of customer data. But cybersecurity specialists say the company missed a significant chance to halt the breach years earlier.
Marriott on Friday said the hack of the reservation database for its Starwood properties, which involved the theft of personal information on up to 500 million customers, began in 2014 and went undetected until this September.
In 2015, Starwood reported a much smaller breach, in which attackers installed malware on point-of-sale systems in some hotel restaurants and gift shops to siphon off payment-card information. It disclosed the attack four days after Marriott announced a deal to acquire Starwood Hotels & Resorts Worldwide for what ended up being $13.6 billion, creating the No. 1 hotel company globally.
Marriott says that the 2015 incident was different and not related to the attack made public Friday. But security specialists say that while it’s not unusual for breach investigations to miss a second intruder, a more thorough investigation into the 2015 intrusion could have uncovered the attackers, who instead were able to lurk in its reservation system for three more years.
“With all the resources they have, they should have been able to isolate hackers back in 2015,” said Andrei Barysevich, a researcher with the security company Recorded Future Inc.
“Obviously, all involved would have preferred that this incident had been identified earlier,” a Marriott spokeswoman said Sunday via email. “When there is a concern that payment cards are at risk, forensic investigations start looking at devices that process payment cards and follow the evidence from there.”
The spokeswoman declined to comment on the 2015 investigation, saying it happened before Marriott had acquired the company. Starwood said at the time that it didn’t think that attack affected its guest reservation system.
The newly disclosed data theft is rivaled in its scope only by hacks against Yahoo in 2014 and 2013 that stole data on 500 million and three billion users, respectively. It threatens to damage Marriott’s reputation at a time when its dominance is being challenged not only by traditional rivals but also upstarts like Airbnb Inc.
News of the attack sent Marriott’s shares down 5.6% Friday.
Marriott as of Sunday was still sorting through the attack’s cause and impact. It said it first received a security alert on Sept. 8, and moved quickly to notify customers and regulators after determining on Nov. 19 that the hackers acquired information in the Starwood reservation database.
For about 327 million customers, the hackers may have gained access to passport numbers, travel details and, in some cases, credit-card information, as well as names and addresses, it said. Investigators also found a file of about 170 million customers created by the hackers that contains much less information, the company said Sunday.
Marriott began sending out emails to customers on Friday, a process that will take weeks. Some customers complained that they couldn’t get clear information from Marriott on whether or not they had been affected. Marriott said Sunday it was still identifying duplicate information in the second data file to determine exactly who was affected.
The Federal Bureau of Investigation said it is tracking the Marriott situation and attorneys general in New York, Illinois and Massachusetts have opened investigations.
Several Democrats, including Sens. Mark Warner of Virginia and Elizabeth Warren of Massachusetts, blasted Marriott on Friday and called for national data-breach laws. “CEOs won’t take protecting our data seriously unless their own jobs are on the line,” said Sen. Warren in a Twitter message.
At the time of the 2014 intrusion, hackers were on a hotel spree. By 2015 they had broken into systems at Hilton Worldwide , Trump Hotel Collection, Mandarin Oriental and others.
Attackers target hotels because they hold rich troves of credit-card data, hosted on computers that often are accessible remotely for maintenance purposes, and because the industry generally has had lax protections, experts say. “The hospitality industry has never been at the forefront of security,” said Vincent Liu, a partner with the security consulting firm Bishop Fox.
Other watershed breaches—the 2013 hack at Target Corp. and the 2014 break-in at Sony Pictures Entertainment Inc.—gained widespread attention and spurred industrywide efforts to shore up computer security weaknesses, Mr. Liu said. “Maybe this is something that will resonate through the boardrooms of the hospitality industry,” he added.
While those incidents did lead to increased corporate spending on computer security, they prompted no substantial action by Congress.
In 2011, Starwood finished a 10-year project code-named Valhalla to upgrade its reservation system, a massive centralized database used to book and hold reservations for the company’s approximately 370,000 rooms spread across nearly 1,300 properties under different brands in about 100 countries.
The hotels used a range of different payment and property-management systems assembled from Starwood’s many acquisitions, making the global computer network difficult to secure, according to former Starwood employees.
“It’s a juicy place to attack,” said Paul West, a hotel industry consultant who advises on cyber insurance and risk management. The payment systems, in particular, are often vulnerable to attack. “Some of these places, like a little tiki bar in some resort, sometimes those systems are left unattended,” Mr. West said.
The hackers in the 2015 incident had been lurking in Starwood’s networks for nearly eight months when they were detected, the company said at the time. Initially, the company said that 54 hotels had been breached, but two months later said the more than 100 hotels were hit.
Starwood said in a November 2015 statement that it had hired outside forensic experts to conduct an “extensive investigation” into that breach, and that there was no indication its guest reservation or Starwood Preferred Guest membership systems were affected. “We want to assure our customers that we have implemented additional security measures to help prevent this type of crime from reoccurring,” an executive said in the statement.
The attackers in the newly disclosed breach had already broken into Starwood’s network in 2014, Marriott says. The hackers had created two massive data files lifted from the system and took steps to remove them from the company’s systems. Marriott said it still isn’t sure whether they removed this information from its network.
Security companies and Marriott said Sunday they hadn’t observed the stolen data for sale on criminal marketplaces. That could mean the hackers simply weren’t able to remove their stolen data from Marriott’s network, but given the duration of the breach that seems unlikely, said Recorded Future’s Mr. Barysevich.
Because of the apparent lack of attempts to sell the data and its sensitive nature, including passport numbers, some government officials and cyber investigators worry that the hackers may have worked on behalf of a foreign government rather than a criminal organization.
Mr. Barysevich believes that it unlikely. Hackers often don’t sell stolen data until they are sure their breach is discovered, to forestall the intruders from being ejected from a network, he said. “We think that the data will released,” he said.Go back