In November of 2018, Marriott disclosed that its Starwood database was hacked, affecting about 383 million guests.
Last Friday, Marriott International announced that its Starwood Hotel failed to encrypt passport numbers for approximately five million customers. Although the hack was not as big as was originally feared which was believed to have impacted roughly 383 million guests, it is still the largest breach in customer data in history, even bigger than the infamous Equifax hack scandal.
Who is responsible for the hacking?
Many experts believe that the data breach was part of a Chinese intelligence-gathering effort. The New York Times reported back in December that the attackers were indeed Chinese intelligence agencies.
The supposed Chinese attackers were allegedly responsible for another data breach in 2014, hacking U.S. health insurers as well as the Office of Personnel Management, responsible for the storage and safekeeping of millions of Americans’ security clearance files.
James A. Lewis, a cybersecurity specialist who directs the technology policy program at the Center for Strategic and International Studies in Washington, told The New York Times last month: “Big data is the new wave for counterintelligence.”
China Responds to Hack Accusations
Along with the previous breach in 2014, the attack appears to be an attempt by China’s Ministry of State Security to collect a database of sensitive information on Americans and others. Information compiled on people with sensitive government jobs includes names of colleagues, foreign friends and contacts, where they work and where they travel.
China, however, denies knowledge of the breach. A spokesman for its Ministry of Foreign Affairs, Geng Shuang, said last December: “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law.”
He continued, “If offered evidence, the relevant Chinese departments will carry out investigations according to the law.”
Marriott Scrambles to Recover From Data Breach
As the data breach is being investigated, a new vulnerability in hotel data systems has come to light: what happens to passport data once a guest reserves or checks into a hotel. Marriott allegedly kept 5.25 million passports in the Starwood system in unencrypted files, in addition to 20.3 million passport numbers in encrypted files.
The reason why the 5.25 million passport numbers were stored in unencrypted files is unclear. Perhaps various hotel locations had different protocols for handling the data.
Marriott said in a statement: “There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers.”
Marriott was asked how they were handling the information since the company has merged data from Starwood into Marriott’s own system (the merger was completed in December 2018).
Connie Kim, a Marriott spokeswoman,: “We are looking into our ability to move to universal encryption of passport numbers and will be working with our systems vendors to better understand their capabilities, as well as reviewing applicable national and local regulations.”
At this time, Marriott says that they have no evidence of who the attackers were. Arne Sorenson, the company’s president and chief executive, declined to speak with The Times about the hacking.
The company did say, however, that they would reimburse people for new passports if their passport data that was hacked from their system had been involved in a fraud.