Marriott said that a massive data breach of its guest reservation system has left up to 500 million guests’ data exposed and available for the taking. Worse, the attackers may have had access to the systems for at least four years before being discovered.
The hotel company said in a statement on its website that hackers gained access to the Starwood reservation database. Starwood, which includes hotels like St. Regis and Sheraton, was bought by Marriott in 2016.
The hackers gained unauthorized access to Starwoods’ network back in 2014. Marriott said it discovered the breach on Sept. 8.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” the company said in its statement.
Marriott did not respond to a request for comment about how the database was accessed.
Marriott said that hackers stole data like name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for 327 million of these guests.
For others, information stolen also includes payment card numbers and payment card expiration dates. The payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), stressed the company.
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” the company said. “For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
Security experts, such as Daniel Cuthbert, global head of cyber security research at Banco Santander, were astounded that the hack has been ongoing for four years without discovery.
"Marriott, the world’s biggest hotel company, said the huge hack had been going on since 2014"
FOUR YEARS!
1312 Days!
There is so much in this, where do you begin? #Marriott
― Daniel Cuthbert (@dcuthbert) November 30, 2018
Marriott has also had minorsecurity issues in the past. Kevin Beaumont pointed back to past security incidents with Marriott wherein a remote access trojan located inside the company’s network had access to their Cyber Incident Response Team mailbox in 2017.
This is from 2017. Per @Marriott their breach started in 2014. In this screenshot a remote access trojan inside the Marriott has access to their Cyber Incident Response Team mailbox. https://t.co/swLW2jKKGB
― Kevin Beaumont (@GossiTheDog) November 30, 2018
BacklashThe incident has left infosec community members and hotel guests scratching their heads about how the hackers could have stayed undetected for four years.
“Four years of unauthorized access is an eternity for hackers, so members of the Starwood rewards program need to keep a close eye on their balances, as attackers will often try to steal and monetize rewards points,” said Ben Johnson, co-founder and CTO of Obsidian Security. “While the recognition of the breach and an apology are important steps forward, Marriott must upgrade its ability to detect compromises like this much faster, and should move swiftly to protect the rewards accounts and personal information of its loyal members.”
Brian Vecci, technical evangelist at Varonis, pointed to the breach as a “textbook” example of how hackers are becoming smarter about building persistence when they breach critical systems.
“Threat actors are smart and getting smarter so it’s hard to catch them in the act, but not only did Marriott fail to protect customer records, they failed to detect the leakage of this data since 2014,” he said. “This breach is a textbook example of attacker dwell time, and how once an attacker compromises an organization their goal is not typically to smash and grab, but to build persistence mechanisms and backdoors to stay in a network and continue to steal critical information year after year.”
Meanwhile, the New York Attorney General’s office declared it was opening an investigation into the Marriott data breach. “New Yorkers deserve to know that their personal information will be protected,” NY Attorney General Barbara Underwood said in a Tweet.
We’ve opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected.
― NY AG Underwood (@NewYorkStateAG) November 30, 2018
Marriott said it will begin sending emails on a rolling basis starting today, November 30, 2018, to affected guests whose email addresses are in the Starwood guest reservation database.
Threatpost will be updating this breaking news story as it develops. Please check back for more.