Massive Hotel Data Breach - Threatwire Crosspost

By Shannon Morse, Threatwire 

It’s been a while since we’ve had a massive data breach like this one. Marriott International, the world’s largest hotel chain, disclosed on November 30 that its subsidiary, Starwood Hotels, had a database that was compromised which potentially affected up to 500 million guests. Marriott International's Starwood Brands include W, St Regis, Sheraton, Westin, Le Meridien, Four Points, Element, Aloft, Tribute, and The Luxury Collection - all of which are affected as they use the same reservation system. There’s been a bit of confusion about who is affected-- this affects Starwood hotels brands, NOT Marriott properties. Marriott acquired Starwood, but doesn’t use the same database. With that said, this is one of the largest known security breaches in history. 

In a news center bulletin posted by the company, they stated that they determined the incident was caused by unauthorized access to the database on November 19. The database contained information on guests who stayed at Starwood properties on or before September 10, 2018, which was two days after they learned of the breach. They soon realized, with the help of security vendors, that this had been occurring since 2014 on the Starwood network. That’s FOUR years without being noticed. Four years. The attacker copied and encrypted information from the database, and tried to remove it. Marriott decrypted the information that was copied and discovered the contents. 

It all came from the guest reservation database, including names, mailing addresses, phone numbers, email addresses, passport numbers, SPG (Starwood Preferred Guest) account info, date of birth, gender, arrival and departure info, reservation dates, and communication preferences. Also included were payment card numbers and expiration dates, encrypted with AES-128. Marriott didn’t try to inflate the security of AES 128, but also stated that two components were needed to decrypt those payment card numbers and it’s entirely possible that info was stolen too. They currently estimate 327 million customers had all of that information in the database, while the rest of the 500 million had limited information such as name and mailing address stolen.

Marriott notified authorities and are supporting law enforcement in an investigation. They created a website called info.starwoodhotels.com for anyone who has more questions. They’ve also offered a free one year of WebWatcher to alert users of personal information if found on the web. The company will be emailing affected guests if their email address was found in the database.

This means that an attacker DOES have access to all of that data, including traveling habits, frequency of travel, and passport numbers - which might have much larger national security ramifications. 

Marriott's story isn’t over, though, because they could face harsh penalties due to Europe's GDPR. They could expect fines of four percent of their global revenue, or a fine of 20 million dollars, whichever is higher. New York's Attorney General's office also stated they will open an investigation into the breach. Senators acted swiftly to call on Congress for federal legislation soon after the Starwood breach was announced. It’s uncertain how much Marriott International will owe for the breach, since they’re likely to be penalized outside of GDPR, but estimates from IBM/ Ponemon put the price at $3.5 billion, which will likely be covered to a point by Marriott’s cybersecurity liability insurance.

And this isn’t the first problem they’ve faced - they were also the target of malware attacks in both 2015 and 2016. Since Marriott acquired Starwood, they’ll now be looking at the price they’ll have to pay for the breach - due diligence is key with online security - and proactively protecting your clientele is a worthy investment. Waiting until after a breach now comes with much larger penalties, given GDPR. Consumers will also likely see more phishing, since so much data was stolen.

For more stories like this one, check out https://www.youtube.com/hak5 and https://www.patreon.com/threatwire. Thanks for listening!