The Marriott Hack – What Really Happened?

On November 30th, 2018, Marriott International released a statement letting its customers know of a large-scale data breach. According to the statement, the breach affected the information of 500 million Starwood property guests. Read on for the full Marriott hack story.

The Marriott Breach – The Full Story

According to Marriott’s official statement, the company was the target of a hack that affected around 500 million guests. The hackers even had access to several reservation systems belonging to Marriott for the past 4 years.

The breach seems to come from Marriott’s Starwood Hotel chain and were present 2 years before Marriott purchased the chain. In other words, Marriott did not catch this particular breach during the merger.

Here’s how the whole thing went down:

1. 2014: The Starwood Hotel’s database was breached.
2. 2016: Marriott acquired the hotel chain, unaware of the database breach.
3. September 8, 2018: An internal security tool notified Marriott of an attempt to access the Starwood guest reservation database in the US.
4. Sometime between September and November: Marriott learned that “an unauthorized party had copied and encrypted information” off of Starwood’s database.
5. November 19, 2018: Marriott finally decrypted the information and determined the contents of the breach.
6. November 30, 2018: Marriott released a public statement informing its guests of the data breach.

So far, the hack seems to have affected 500 million Starwood guests. Marriott specified that,

“For 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, data of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates.”

While Marriott uses encryptions to protect credit card numbers, the company cannot rule out the possibility that the encryption keys were also stolen.

Who is Behind the Marriott Hack?

We really don’t know who is behind the Marriott hack yet. However, security experts have been having a field day trying to figure it out.

Some experts believe this was a nation-state hack, given the longevity of its duration and the fact that it targeted such a high-level hotel chain. Security expert and former British intelligence officer, Matt Tait, explained this train of thought by saying that “Nation-states are happy to watch and use the information very passively while criminals want to turn it into cash”.

Others, however, point to the general lack of security within the travel industry as evidence of criminal motive. Gary Leff summed up this camp by saying “I don’t think it necessarily would have taken a nation-state to crack into Starwood IT”.

The Marriott Hack – Final Thoughts

That is all of the information we know about the Marriott Hack so far. What many people around the world are waiting for, however, is how the GDPR is going to handle Marriot’s delay in informing the public. According to GDPR regulations, a company has 72 hours to inform the public of any data breach. This may be the GDPR’s first chance to officially prove its commitment to user data. Marriot may soon be looking at a billion dollar fine. If that happens, it would make Marriot the first company officially fined by the GDPR.