The hotel heavyweight Marriott announced a massive hack on 30 November 2018 that impacted as many as 500 million customers who made a reservation at a Starwood hotel. This intrusion that caused the enormous data breach predates to the beginning of 2014.
Marriott is working with law enforcement and regulators in investigating the hack, with no finalised number of people impacted. Their network included different combinations of names, addresses, phone numbers, email addresses, passport numbers, dates of birth and trip reservation information, all of which was compromised. Some credit card numbers were also stolen as part of the breach.
The amount of time the attackers had inside the system is what made the breach as bad as it turned out to be. Four years is more than enough time for the attackers to have tweaked defences and ultimately learn more about a system to understand where the valuable data was. The attackers also had ample time to encrypt the stolen data during the unauthorised access to this information.
Marriott is apparently treating this incident as if every Starwoods customer has been impacted. Marriott has issued this statement since the initial announcement of this breach, advising clientele on how to protect themselves from the damaging consequences they may experience as a result of this breach: “If you’ve stayed at an SPG hotel in the last few years, the standard advice applies: Enrol in the free monitoring, change your SPG password—and on any other account where you might have reused it—and watch your finances for suspicious activity.”
- Marriott has sent out numerous notification emails to impacted customers.
- They have established a call centre and breach notification website, that can be used to look up whether your information was stolen, or how much of it.
- The company is also offering enrolment in the identity monitoring service WebWatcher for one year to anyone who thinks they were impacted by the four-year network intrusion.
- An enrolment to WebWatcher includes a reimbursement benefit for expenses related to fraud and identity theft, and unlimited consultation with identity theft specialists at the corporate incident response firm Kroll. The services are available to people in the US, Canada and the United Kingdom.
The Marriott breach appears to have had an uncommon characteristic of exposing hundreds of millions of passport numbers, but this information can be used in a malicious manner to make counterfeit passports. This information can then be combined with other personal details and creates a new window for online fraud and abuse.
Marriott’s investigation is apparently ongoing, but no definite answers have been disclosed yet about how the attackers initially got onto the Starwood network, or how the activity went undetected for so long. Marriott’s spokespeople have shared their deep regret about the incident and are doing everything they can to support their guests. Focus will now be placed on the ongoing security enhancements to their network.