Data Of 500 Million Accounts Was Stolen In Marriott Breach

The seriousness of Marriott data breach is the cause for worry that exposed information of customers at specific place could be exploited for housebreaking, spying, or fame attack.

Marriott International said data of up to 500 million accounts, including payment card details, passport numbers, addresses, and other personal information, had been stolen from the hotel reservation system during a hack began 4 years ago.

Marriott Hotel

It is reported that this was one of the biggest data compromises ever recorded. To compare, Equifax breach occurred last year impacted on over 145 million Americans. Additionally, hackers in the 2013 Target breach stole payment data of more than 41 million customers and contact information of more than 60 million shoppers.

According to Chris Wysopal, the Veracode chief technology officer, the hack is not just conventional payment card steal, because records of hotel reservations could be utilized for somebody incrimination.

A professor of cybersecurity at the University of Maryland, Jesse Varsalone, indicated that it would be worse if the data attack took place for nation-state spy purpose instead of a financial one.

If this happens, information about government officials’ journey, to conferences for military bases, for example, could be exposed, he said.

 “There are just so many things you can extrapolate from people staying at hotels,” he added.

Moreover, as the data of hotel booking, together with personal addresses, was leaked, burglars would be able to know when someone planned to go out, said Scott Grissom, a provider of legal services at LegalShield.

The data attack impacted on guests of Marriott-owned Starwood hotel brands, which involved W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and Four Points.

Although the prestige of Starwood properties decreased, the Marriott hotel chain seemed not to be under threat.

The company said potential victims would be informed by email about the breach, beginning on Friday.

In spite of a large number of affected guests, it could contain some errors from duplication accounts. It is because if a customer stayed in a specific hotel multiple times, the records would be duplicated.

Specifically, while usual breach often had a duration of months, the Marriott occurred in very long time, up to four years, said Yonatan Striem-Amit, Cybereason chief technology officer.

The purpose of instigators with payment card information is still unknown. Marriott said although these cards had been encrypted, hackers would be able to descramble the numbers if they got two elements needed.

More seriously, two-thirds of people who were affected by the breach could lose information such as home addresses, email addresses, phone numbers, passport numbers, journey details, and other personal data.

A call center and website of Marriott have been established to help customers who think they are under threat.

In fact, this was not the first time passport numbers were stolen from a database. In October, Cathay Pacific of Hong Kong airline had a security problem, leading to compromise of 9.4 million guests’ data, involving their passport numbers.

It is a much more complex problem to ask the government for a new passport while the process of issuing a credit card can be completed in a few days.

However, it seems to be compensatory to know that a requirement of meeting face to face often involved in the process, said Ryan Wilk at NuData Security.

“It’s a highly secure document with a lot of security features,” he said.

In the 2015 merger, up to 21 million people were Starwood’s loyal customers. It is the fact that over 6700 properties belong to this company worldwide, with the large majority placed in North America.

Security specialist said other information, rather than credit cards, could be more in danger due to not being protected.

The name accounts, passport numbers, home addresses, and other personal data “is of greater concern than the payment info, which was encrypted,” said Ted Rossman, an analyst of CreditCards.com.

Though an internal security device was set up and run in September, it could not find what data had been damaged until last week.

The Maryland-base of the company said financial loss after the breach was still unable to be estimated and that they were working with insurance suppliers to get a coverage.