It’s been announced that 500 million guests of Marriott-owned Starwood Hotels have been affected by a data breach. An internal investigation revealed that a hacker had been able to access the hotel network. The hacker had copied, and attempted to permanently delete, information from the Starwood database.
The accessed data included names, dates of birth, passport numbers, phone numbers, email addresses, and home addresses. Marriott have stated that payment card details were also accessed and whilst this information was encrypted, the encryption keys (needed to reveal these details) may have also been accessed.
Starwood hotels was bought by Marriott in 2016, creating the world’s largest hotel company, also including Sheraton, The Ritz-Carlton Hotel, and St. Regis. What’s surprising is that the database had been accessed from 2014, prior to the acquisition by Marriott.
Interestingly, the hack was only discovered because of a single security alert – it was completely unsuspected. The hacker had been quietly accessing the Starwood database for four years prior to this alert.
Marriott admitted that integration had been an ongoing challenge since the acquisition. When the acquisition took place, there was no security auditing of the Starwood systems.
We’ve already seen the importance of auditing during acquisition. The Yahoo! hack that exposed the details of every single user, was only discovered during its buyout by Verizon in 2017 – worse still, Verizon discovered that Yahoo! was aware of the breach but had not disclosed it.
High profile attacks – like this one and the Yahoo! breach – expose huge amounts of data. Whilst this data may seem inconsequential (pet names, mother’s maiden name, the first school you attended etc.), this data is timeless and can be used in conjunction with data gained from previous hacks.
As an example, in December 2017, a Dark Web archive of 1.4 billion clear text credentials was exposed. The data had been added to only weeks before its exposure suggesting that it was maintained and updated regularly. Whoever collated the list had taken stolen data from different attacks and pooled them together, gaining wider profiles of the individuals who have been affected.
Using this pooled data in further cyberattacks is, unfortunately, becoming a reality as has been seen in a spate of recent spearphishing attacks.
Spearphishing is the evolved concept of phishing campaigns (mass spam emails) that’s tailored towards individuals. It uses personal information, or imitates somebody the individual trusts, to entice them into clicking a link or downloading something that will then cause a virus.
For those affected by the Marriott breach, you should be cautious as its common after a data breach that these kinds of attacks to take place. Marriott have begun emailing the guests that may have been affected but have clearly stated that their emails will not include any links or downloads and will not require you to enter any personal details. So if you receive an email from Marriott about the breach that includes a link or download, it is ingenuine and should be deleted.
As far as we know, only Starwood hotels have been affected, not the entire Marriott chain. Unfortunately, only time will reveal the true extent of this attack, and the impact this will have on future spearphishing campaigns.