12-01-2018 | News
Photo credit: J P | Dreamstime.com
500 Million Instance Marriot Data Breach Could Have Surprising Silver Lining
What is certainly unfortunate news for Marriot hotels and their guests may result in a win for privacy rights. Marriot has officially made history, in one of the worst possible ways. With 500 million instances of data theft including credit card information, passport numbers and other personal information gathered by the hotel chain this latest massive breach may dwarf that of even the enormous Equifax hack that affected 145 million people.
At the moment it is not clear whether the 500 million figure represents individuals who have had their privacy invaded by hackers courtesy of the Marriot family of hotels or if the figure includes redundancies based on single customers who stayed at one of their hotels on multiple occasions.
Chris Wysopal, chief technology officer of Veracode security company spoke about the massive info leak, ""On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade."
If most of the 500 million incidents are separate individuals the hack is definitely historic in its scope. As mentioned the Equifax breach was previously one of the worst info heists to date. In 2015, Experian was compromised resulting in some 15 million Americans having their personal information stolen and likely resold on the dark web. The Target leak of 2013 exposed contact information and credit card numbers for over 41 million accounts.
Security analysts suggest that the breach likely began as early as 2014. Though credit card information was among the personal information the culprits absconded with, it is uncertain whether card information could be used. It was encrypted but the hackers also made off with components of the decryption key.
In addition to encrypted credit card information and decryption key information, the personal data breached included personal information such as email addresses, passport numbers, birth dates, reservation, arrival and departure dates and Starwood Preferred Guest account information.
CEO Arne Sorenson expressed regret in a statement: "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned to be better moving forward."
Marriot may have more than a PR disaster on their hands considering the fact that stolen data from guests from EU nations could put them in violation of new European privacy laws. An even larger worry to consider is the possibility that those responsible had primarily political rather than fiscal motivations.
Jesse Varsalone, associate professor of cybersecurity at the University of Maryland University college warned of the havoc spies could wreak with reservation information of government officials: "There are just so many things you can extrapolate from people staying at hotels. Once you know someone's arrival, departure, room preferences," that could be used to incriminate a person or for a reputation attack that "goes beyond your traditional identity theft or credit card theft."
In most of the largest data hacks of the past passport information was not included, but Hong Kong's Cathay Pacific Airways revealed in October that 9.4 million customers' information had been stolen, including passport numbers. Passport numbers are an example of how the richness of the data in this hack could make the info more valuable as more identifying information improves the chance of identity theft making the full set more valuable in deep web marketplaces.
If your credit card number is hacked, you can easily have it frozen and receive a new one in a short time. Getting a new passport number isn't as much a piece of cake. The passport number alone may not be as troubling considering in most cases the physical passport must be seen for it to be taken as valid identification.
With the broad amount of data making identity theft a possibility, those affected by the hack may be more in danger of a credit card being opened in their name and used than their existing credit card data being used.
If every cloud has a silver lining, in this case, it would likely be the heat placed on Marriot by representatives of government. The New York attorney general has already opened an investigation and co-founder of the Senate Cybersecurity Caucus, Senator from Virginia Mark Warner has spoken out about the need for measures to ensure companies are held accountable for such incidents rather than leaving the consumer victims to "shoulder the burden and harms resulting from these lapses."
To be fair, it could have been worse. The Yahoo hack resulted in 3 billion accounts being compromised in all so as far as silver linings for Marriot, cold comfort though it may be, at least Yahoo set the bar for massive leaks.
Twitter: #databreach #marriot #marriotdatabreach
Share this article
Thoughts on the above story? Comment below!