On Friday, hotel chain Marriott International announced in a press release that the reservation system for their Starwood line of properties had been hacked, and that sensitive personal information belonging to 500 million guests was compromised.
It is still unknown at this time who is responsible for the data breach, how they succeeded in compromising the data, or what their intentions are. The facts we do know are alarming, and suggest that the hotel chain has been starkly inadequate in securing its guests’ personal information.
According to the press release, the initial breach occurred in 2014 and lasted until September of this year when an internal security tool initiated an alert that an unauthorized party had attempted to access the company database. This means that for a full four years, Marriott had been inadvertently funneling the private information of its guests directly to the hackers.
Once the unauthorized attempt to access the database was detected, Marriott consulted with security experts to help determine what was going on. A forensic investigation into the matter uncovered that the hackers had copied and encrypted information from the database. Investigators recently concluded after decrypting the information that the compromised data was from their Starwood guest reservation database.
Marriott’s Starwood line of properties includes W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels, as well as Starwood brand timeshare properties. Any guests who stayed at any of these properties before September 10th, 2018 are potentially affected. Marriott brand hotels were not compromised because the Marriott and Starwood guest reservation databases were kept separate.
The personal information contained in the guest reservation system highly detailed and allowing that personal information to fall into the wrong hands is a frightening oversight.
According to Marriott’s statement, among the types of personal data compromised includes, “Some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” On top of that, Marriott confirms that credit card numbers, along with credit card expiration dates were also compromised. Though the press release claims that the card numbers were encrypted, what Marriot cannot confirm at this time, is whether the encryption keys were stolen. If so then we can assume the card numbers were accessed by the unauthorized party.
Marriott CEO Arne Sorensen apologies on behalf of the chain stating, “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.” Sorensen continued by explaining the company’s next steps, “Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
It’s encouraging to know what steps are being taken to shore up Marriott security systems, and to make sure nothing like this happens again, but the reality is that the damage has already been done. Millions of people have had their private data exposed to an unknown, unauthorized, and in all likelihood, nefarious third party. Millions of people are now at risk of identity theft as a result of the incident, and millions of people have had their credit card numbers compromised due to Marriott neglecting to deploy adequate security measures to protect customer data.
The fallout for Marriott will likely continue for some time as further investigations into the breach get underway. In addition, they are likely to be left with a bevy of lawsuits and financial penalties to sort through. Despite this inevitable financial hit, the company disclosed in its SEC filing that it “does not believe this incident will impact its long-term financial health.”
Regardless of whether their financial health remains intact following the breach, this incident highlights the disturbing fact that many large corporations are gravely ill-prepared to prevent, and detect cyber attacks on their networks. We only need to look at the recent incidents involving Yahoo in 2013 and Equifax in 2017 to demonstrate that these types of large-scale security breaches are all too common, and seem to be happening with greater regularity.
In order to prevent this becoming a trend things need to change and fast. First and foremost, companies will need to thoroughly evaluate and take the necessary steps to bolster their security practices and protect the private data of their customers. Secondly, strict data protection regulations can help incentivize companies to better protect their customers’ private data. For example, the European Union recently enacted stricter data protection regulations that can potentially levy crippling fines against companies that fail to abide. In the United States, similar regulations are being pushed through, that also drop heavy fines on companies that don’t make the proper effort to safeguard customer data. Perhaps such initiatives will set the right tone and demonstrate the importance of minimizing the amount of personally identifiable customer data that a company collects, and the absolute necessity of preventing that data from ending up in the hands of unauthorized third parties.
In the Marriott case, several burning questions remain: What security deficiencies ultimately allowed the hackers to compromise the database? Why did it take four years to detect the breach? Who was responsible for the attack and what are they doing with the data? Why does Marriott not know if the encrypted credit card data was compromised? The answers to these questions could provide Marriott and others with critical insight as to why this happened and more importantly what they can do to ensure it never happens again.
If you want to take further precautions to ensure your online safety when you're connected to hotel WiFi, you may want to consider using a VPN. Take a look at our best VPN services page for more information.