/Marriott Hacking Exposes Data of Up to 500 Million Guests

Marriott Hacking Exposes Data of Up to 500 Million Guests

The lodge chain requested company checking in for a treasure trove of private data: bank cards, addresses and typically passport numbers. On Friday, customers discovered the chance. Marriott International revealed that hackers had breached its Starwood reservation system and had stolen the non-public information of up to 500 million company.

The assault began way back to 2014, and was one of the most important identified thefts of private information, second solely to a 2013 breach of Yahoo that affected three billion consumer accounts and bigger than a 2017 episode involving the credit score bureau Equifax.

The intrusion was a reminder that after years of headline-grabbing assaults, the pc networks of huge firms are nonetheless weak.

The Starwood assault occurred roughly the identical time as a quantity of different breaches at American well being insurers and authorities companies, together with the United States Office of Personnel Management, in what safety analysis companies and authorities officers described as an effort to compile an unlimited database of private data on potential espionage targets.

Experts don’t know if the Starwood assault was related to these different episodes. But Starwood’s information has not popped up on the so-called darkish net, in accordance to Recorded Future, a cybersecurity agency, and Coalition, a cyber insurance coverage supplier, which instructed that the lodge attackers weren’t wanting to promote what they took.

“Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes,” mentioned James A. Lewis, a cybersecurity knowledgeable on the Center for Strategic Studies in Washington.

The breach hit prospects who made reservations for the Marriott-owned Starwood lodge manufacturers from 2014 to September 2018. The properties embody Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Le Méridien, Tribute, Design Hotels, Elements and the Luxury Collection.

Marriott inns, together with Residence Inn and the Ritz-Carlton, function on a separate reservation system. The firm has plans to merge that system with Starwood’s.

The names, addresses, telephone numbers, start dates, e-mail addresses and encrypted bank card particulars of lodge prospects had been stolen. The journey histories and passport numbers of a smaller group of company had been additionally taken.

In recent years, cybersecurity experts said, the hospitality industry has become a rich target for nation-state hackers looking to track the travel movements and preferences of heads of states, diplomats, chief executives and other people of interest to espionage agencies.

Going after hotel customer lists has been part of a broader effort to obtain giant databases of information. So big, in fact, that they would be of little use to run-of-the-mill hackers. But to a government, they would be very useful.

That information could be fed, for example, into an analysis program run by a country’s state security apparatus, Mr. Lewis said. Using “big data” technology similar to what marketers use in targeted advertising, the country could try to pinpoint the comings and going of intelligence agents from other nations. Did they stay, for example, in the same hotel as a potential source for that country?

The breach could get expensive for Marriott. Verizon cut what it paid to acquire Yahoo by $350 million after the internet company reported its breach in 2016. And Equifax reported recovery costs of $400 million from its 2017 incident, which affected 148 million people.

Despite months of due diligence, finding out there was a major network attack long after a deal closes is “everybody’s worst-case scenario,” said Jake Olcott, vice president at BitSight, a computer security ratings company in Boston.

Several lawsuits were filed against Marriott on Friday, and investigations were announced by New York’s attorney general, Barbara D. Underwood, and European regulators.

In Europe, where companies can be fined up to 4 percent of global revenue under data protection laws, companies must alert government authorities within 72 hours of a known breach.

Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott “has the potential to trigger the first hefty G.D.P.R. fine,” said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data protection law enacted this year.

Marriott told shareholders that it did not expect the breach would affect the company’s long-term financial prospects. The company’s share price was down more than 5 percent on Friday.

Marriott has also been dealing with strikes by thousands of workers in nine cities, as well as customer complaints about problems with rewards programs after efforts to merge data from Starwood’s rewards program into Marriott’s left the records of millions of customers in limbo.

Lawmakers said the episode was yet another example of why the United States needs data privacy laws that punish companies for failing to keep customers’ information private.

“It is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses,” Senator Mark R. Warner, a Democrat from Virginia, said in a statement.

Privacy advocates said there was no excuse for a breach to go unnoticed for four years.

“They can say all they want that they take security seriously, but they don’t if you can be hacked over a four-year period without noticing,” said Gus Hosein, executive director of Privacy International, a group that supports strong data protection laws.

Source link Nytimes.com

Original Source