Just over a month ago, Marriott International, one of the world’s largest hotel chains, announced that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. Among the hotels under the Starwood brand are the W Hotels, St. Regis, Sheraton, Westin, and Design Hotels and Resorts, as well as all Starwood-branded timeshare properties. Even with the reduction in the number of affected guests, the Marriott breach remains one of the largest data breaches to date – more than double that of Equifax, which exposed the personal data of 147.7 million Americans.
What exactly was stolen?
The database gave hackers access to the names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, arrival and departure information, loyalty account information, reservation dates, and communication preferences of nearly 330 million guests.
Marriott says the number of consumers swept up in a breach of its data is fewer than the 500 million initially estimated, and in recent reports, admitted its Starwood hotel unit had failed to encrypt the passport numbers.
The company announced that approximately 5.25 million unencrypted passport numbers were stolen in the breach, while another 20 million encrypted passport numbers were acquired. They released a statement saying: “There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers”
For many of these guests, the stolen information also included payment card numbers and expiry dates. Although the hotel chain attempted to safeguard this information using the Advanced Encryption Standard (AES-18) method, Marriott has not yet been able to rule out the possibility that both components needed for decryption were not also stolen.
With the investigative reports released Friday afternoon, we now know that there were about 8.6 million encrypted credit card numbers stolen in the breach. Marriott said it’s still investigating how many stolen payment card numbers were not encrypted.
What should I do?
Monitoring your transaction history is important, but especially so if you made a reservation with a Starwood hotel on or before September 10th, 2018.
Marriott began sending emails on a rolling basis Wednesday, November 30th to affected guests with email addresses on file; however, they cautioned customers to stay vigilant as malicious actors may try to pose as Marriott. The hotel cautioned affected customers to only accept emails from the official email address listed on their website.
The hotel chain also established a dedicated website with an FAQ section and a call center to answer any questions. The company has also offered to pay for new passports if affected guests can prove they were victims of fraud.
A fraud monitoring service is being provided by Marriott via WebWatchers free of cost to all affected guests for one year. The service monitors all sites where personal information is shared and guests are alerted if their data is found. Individuals can enroll via Marriott’s website.
Who’s behind the Marriott breach?
That remains unclear, though Reuters, The Washington Post and The New York Times reported that investigators believe China is responsible.
Lawmakers have called for companies to improve their cybersecurity, and Sen. Ron Wyden (D-OR) released a draft of the Consumer Data Protection Act, which would create new protections for consumer information and strict punishments for those found to be abusing user data. The proposed bill would send senior executives to jail for 10 to 20 years if they fail to follow the guidelines for data use.
Monitoring banking statements for unauthorized purchases and reviewing all loyalty program activity for suspicious behavior is a good first step. Also, knowing exactly what kind of information was lost in the data breach can help alert you to any activity out of the norm.
Never give out credentials or passwords via phone or email and stay vigilant against phishing attempts, especially in the wake of another data breach. Be sure to change the password on any account that may have been associated with the breach.
If you were one of the Marriott guests whose payment-card number was stolen, contact the bank or organization that issued the card. Explain that your account is at risk of fraud and ask the card issuer to alert you if it detects suspicious activity on your account. The bank will almost certainly cancel the card and issue you a new one.
And finally, contact the major consumer credit-reporting bureaus and ask each to place a fraud alert on your name. This way, if your financial identity has been compromised — for example, by trying to open a credit card account in your name — you’ll know.
Arne Sorenson, Marriott’s President and Chief Executive Officer, said “We deeply regret this incident happened, we fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
by Callie Guenther | CyberSOC Data Scientist
January 9, 2019