30
Nov 18

Marriott: Data on 500 Million Guests Stolen in 4-Year Breach

Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.

Marriott said the breach involved unauthorized access to a database containing guest information tied to reservations made at Starwood properties on or before Sept. 10, 2018, and that its ongoing investigation suggests the perpetrators had been inside the company’s networks since 2014.

Marriott said the intruders encrypted information from the hacked database (likely to avoid detection by any data-loss prevention tools when removing the stolen information from the company’s network), and that its efforts to decrypt that data set was not yet complete. But so far the hotel network believes that the encrypted data cache includes information on up to approximately 500 million guests who made a reservation at a Starwood property.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences,” Marriott said in a statement released early Friday morning.

Marriott added that customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.

The hotel chain did not say precisely when in 2014 the breach was thought to have begun, but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year — to November 2014.

Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of the its guest reservations or membership systems.

However, this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data. In Dec. 2016, KrebsOnSecurity broke the news that banks were detecting a pattern of fraudulent transactions on credit cards that had one thing in common: They’d all been used during a short window of time at InterContinental Hotels Group (IHG) properties, including Holiday Inns and other popular chains across the United States.

It took IHG more than a month to confirm that finding, but the company said in a statement at the time it believed the intrusion was limited to malware installed at point of sale systems at restaurants and bars of 12 IHG-managed properties between August and December 2016.

In April 2017, IHG acknowledged that its investigation showed cash registers at more than 1,000 of its properties were compromised with malicious software designed to siphon customer debit and credit card data — including those used at front desks in certain IHG properties.

Marriott says its own network does not appear to have been affected by this four-year data breach, and that the investigation only identified unauthorized access to the separate Starwood network.

Starwood hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program.

Marriott is offering affected guests in the United States, Canada and the United Kingdom a free year’s worth of service from WebWatcher, one of several companies that advertise the ability to monitor the cybercrime underground for signs that the customer’s personal information is being traded or sold.

The breach announced today is just the latest in a long string of intrusions involving credit card data stolen from major hotel chains over the past four years — with many chains experiencing multiple breaches. In October 2017, Hyatt Hotels suffered its second card breach in as many years. In July 2017, the Trump Hotel Collection was hit by its third card breach in two years.

In Sept. 2016, Kimpton Hotels acknowledged a breach first disclosed by KrebsOnSecurity. Other breaches first disclosed by KrebsOnSecurity include two separate incidents at White Lodging hotels; a 2015 incident involving card-stealing malware at Mandarin Oriental properites; and a 2015 breach affecting Hilton Hotel properties across the United States.

This is a developing story, and will be updated with analysis soon.

Tags: ,

66 comments

  1. Looks like we will be busy at work today getting our employees taken care of.

    These are our go to hotels for remote workers visiting.

    • Will you sign them up for the WebWatcher service? Do you think it adds much value?

      • I have several so-called monitoring services currently, all thanks to data breaches at various companies I do business with that were compromised and that offered the service. I’ve never had a warning from any of them. The only times I knew something was wrong when one of my credit card providers notified me of fraud on a card. This has happened 3 times in the past 2 years. ’nuff said?

        • I have the Equifax TrustedID Premier service and I was never notified when I opened a new credit card last summer. I just checked my Equifax credit report and it still does not show up on my report. The only sign of anything was a credit inquiry from Chase.

        • There’s ONLY ONE way to protect yourself is to go to all of the credit reporting agencies and LOCK your credit report. That way new accounts cannot be opened. Make sure you keep track of the security PIN that they give you, so YOU can get into your account when necessary.

          Brian, if he hasn’t said so already, would, I am 100% sure, agree.

      • They’re only good for notification, after the fact. They can’t stop it from happening. They only ask if you “did this”, it’s already been done .

  2. dammit…. I use cash as much as possible, but this is one of those things that gets reserved with a card.
    The rub is – I stayed at multiple of their properties this year to attend— Security Conferences…….

  3. Why is Marriott using kroll.com domain to dole out information on the breach? Who or what is kroll? I don’t recognise Kroll so why would I click on such a link to seek out information there. Not very smart.

    • Kroll is the credit monitoring company.

    • Mikey Doesn't Like It

      @Peligro:

      You could have simply Googled “Kroll” to check them out.

      Kroll is a long-established security firm; respected in the law enforcement community.

      • Even if a site such as kroll.com comes from https://krebsonsecurity.net, I will be skeptical allowing its advice and links/actions.

        We need a better way for browsers to ID potentially dangerous links within their pages. Of course, this gives a lot more power to do good/bad to the browser manufacturers.

        (Note that I deliberately misspelled Brian’s website above.)

      • That’s exactly what I did. But would the average consumer do so prior to clicking the link on Marriott’s site?

        Why Marriott couldn’t have hosted an explanatory page on their own site is surprising to me, because average joe consumer has no clue who Kroll is.

    • Kroll is a very “quiet” company, that stays “under the radar” as much as possible. They do everything from high profile breeches, to building very up-armored limo’s, for heads of state (or did). Kroll’s lack of notoriety is intentional. I would think of them as the Pinkerton’s of this century, when Pinkerton’s was going after Butch Cassidy and the Wild Bunch. They are extremely competent. I interviewed with them some years back, it was one of the strangest interviews I have ever had, I was in a room with a speaker phone – just me and disembodied voices (sort of creeped me out). Hope that helps. I think that Kroll is actually the MIB. Lol

  4. Brian, you have previously written that these ID monitoring services are not that helpful. If we have our credit reports frozen, is there any benefit to signing up for the free credit monitoring service offered by Starwood?

  5. The real question here is how many other organizations have been owned for years and still don’t know it!

  6. Related item: A large number of people (including me) been getting spam calls with randomized spoofed caller ID, pretending to be from Hilton and offering free hotel stays. I got to speak with an operator.

    I said that Hilton would not use a randomized caller ID number, and he pleaded that he was really Hilton, offering my name and Hilton fidelity card number as proof. That was unsettling. Were these details part of the 2015 Hilton leak? Or does Hilton sell that data?

    • The 2015 Hilton breach didn’t provide such data, since just some POS System was effected, where you can only crawl CC information and what you ordered.
      Since the POS Systems are separated from the OnQ System, there’s no way they could’ve get more then that.
      Nor is Hilton selling your data, if a Hilton Hotel would want to gift you a free stay, they would simply add you some Points to your HHonors account.
      Hilton got really strict after 2015, for example, you can’t even have a random Computer in the NA Network, because the Port will simply get shut off automatically.

      • How would the average Joe/Jill know exactly what was stolen, when, by whom? Especially since the corporations don’t want to report it and don’t apparently even know themselves.

  7. I get maintaining a DB of customer names, addresses, etc., but what is the business case for keeping customer passport numbers? DOB is useful for marketing (and selling to other companies, wink-wink-nudge-nudge) but again, it’s one of those pieces of data required for identity theft and must be guarded.

    As customers it should be our right to push back with a “that’s on a need-to-know basis, and you don’t” against the sucking up of all our data when the business can’t justify it. Perhaps we need laws that limit the storage of such important information — at least limits how long companies can store it.

    • I have a “special” date-of-birth that I give whenever a company or website asks for DOB. Whenever a random company wishes me a happy birthday on my “special” day, I know how they got it.

      • This is a great idea when using something like Facebook (I also gave them falsified race, age, name, and even city). Not so simple when the company demands a government-issued ID.

      • In Marriotts Rewards system, there is no requirement to have a D.O.B. Name Address, Phone Number, and E-mail are needed to open an account, but these can even be office address, phone, etc. for a business traveler. Unknown what the Starwood Preferred Guest system required- that system was ended with the purchase of Starwood and merging the system into Marriott’s.

    • I believe there are retention laws for passport numbers. Travelers must be tracked down during investigations, and typically require hotels keep that information for years.

  8. The Sunshine State

    One year of Web Watcher / Kroll ID Monitoring , what a joke

  9. Futuer hacking victim

    For whatever it might be worth, I think we need penalties for these data breaches that are akin to those assessed under HIPAA. If companies like Marriott and Experion had to pay fines in the tens of millions, perhaps they would spend a little more money better securing their networks. Then again, all they would do is pass the cost of their fines onto the consumer…

    • The problem is that cybersecurity is always a moving target. You can be following best practices and still get hacked, especially when you have thousands of non-technical employees and thousands of physical locations.

      • I find it hard to believe that they were doing everything right and didn’t detect this for 4 years.

        • Not find out about it for four years? You don’t get to say, “I’d like to buy your company!” and then get to dance through the other company’s networks like you own them. Only long after that, after buying the company and starting to run it; when you’re starting to merge system, might you get to see things in enough detail to find the problem…

        • While I agree that security is the impossible job, I kind of agree with you on this. Part of what makes the job impossible is that the problem set is currently infinite. However, the bogies had to exfil half a billion records. That’s a significant amount of data leaving the network going someplace that should have been noticed.

          Knowing what data is on your networks, and identifying the legitimate locations that data can go to from those data locations, shrinks the problem to finite. That would have allowed this to be caught.

          I do have sympathy for the people who had the job of preventing it. They likely did what they could with what they had, just like we all do.

    • There already is, its called GDPR:

      Up to €20 million, or 4% annual global turnover, whichever is the greater.

      which is presumably what the ICO in the UK will be eyeing

    • I think a base penalty of 10% of the company’s annual gross revenue should be a minimum for a basic hack involving user data. Add another 10% to that if payment data is compromised and these big corps that regard “10’s of millions” as just another cost of doing business would perk up and pay attention. Then add another 5% for every month after the breach was discovered until public disclosure.

  10. One year of “monitoring” means nothing and does nothing. The only solution I see is a massive class action suit to any and all companies that are breached. Not a few millions of “go away money” paid to the government, but a crippling jury award is the only way to get these companies to understand that enough is enough.

  11. And of course the Kroll enrollment site can’t handle the volume and has crashed…

  12. Companies bring this on themselves by feeling the need to amass as much data on their customers as possible. Maybe instead of looking at the problem as how do we protect all this data more organizations should start thinking in terms of how they can run their business and service customers while storing a minimal amount of data.

  13. Hopefully anyone with questions or concerns will contact Marriott directly and not bother the poor Front Desk or property staff people.

  14. What can, if anything, the “bad guys” do with the stolen passport numbers?

    • One aspect of these types of breaches that often gets overlooked is their utility for future phishing attacks. That’s a ton of information to have and to draw upon when you’re conducting spear-phishing attacks going forward.

      E.g., find all the Black Card users with unlimited credit and then single them out with targeted phishing attacks. Do this for just-made reservations, and you could quite convincingly send recipients a notice saying the card transaction failed and that you need more information or need a different card, etc. Or, they could include the passport info to make the whole thing look more legit, and then say the notice about the rejected transaction is included in a (malware booby-trapped) PDF. Really, your limit here is your imagination as an attacker.

    • they can make fake passports. create fake drivers license and IDs and then use your illegally obtained credit card to go shopping…

  15. That explains why I got a call from “ Marriott” offering me a discounted vacation ( recording) and Hilton and Carnival on the same day. Great idea about a fake B-day when it does not matter. No point in giving out valid info if it does not matter to the end user.

  16. Does anyone know if they had a SIEM? Was said SIEM managed by a SOC-as-a-service vendor? Four years is a long time. Sometimes I think by the time the majority of operations start doing security right, it won’t matter anymore. We’ll have moved on somehow and it won’t matter what PII of yours anyone has because everything will be numb.

  17. Yes, of course you wouldn’t give your actual birthday to some website or to some business that has no business of knowing it. I actually go even further and don’t tell my actual birthday to some friends and colleagues. For instance if your actual birthday is November 30, 1990 then I may tell people that it’s November 26, 1992. That way you can still celebrate it with them but then whoever wants to steal it won’t have the actual date. Although in a sense even that becomes a moot point with millions of data breaches where your actual data is leaked.

    IMO, what needs to change is not how those companies store our data, they will never be able to secure it. We need to change what is needed to open a bank account or a line of credit for a person. If a bank or a store or any organization opens up such an account without first verifying a picture ID from the signer and talking to him or her in person, that company should be liable under the law and potentially incur a very hefty fine. Only then we can stop caring about giving out our actual birthdays.

  18. Starwood is required to comply with PCI DSSS and has been under that program for many years. In addition to the published requirements themselves, PCI even has an additional technical document that specifically discusses log monitoring methods, techniques and processes & procedures: https://www.pcisecuritystandards.org/documents/Effective-Daily-Log-Monitoring-Guidance.pdf Despite this, many of the largest corporations are no better at information security than much smaller organizations because they utterly fail to grasp and adopt ‘defense in depth’ and ‘zero trust’ models and their associated stringent and exhaustive methods.

    • Companies that big have pci audits and don’t just self assess. So I’m really curious how elaborate the techniques were to breach them. Or if it involved insiders.
      So until we get more details I won’t assume it’s a case of super laxness.

  19. Federal reserve will cover. Loss they can any time press the money printer buttom.
    They can print as much money as possible.. Usa is alive thanks to federeal reserve.

  20. At the rate these breaches occur, I should have free credit monitoring for the rest of my life.

  21. The only thing that will curtail these large breaches are huge *personal* fines and jail time for the top-level executives of the companies who didn’t pay proper attention to data security. It’s not enough for the company (that is, the shareholders) to pay a fine, even if large – that’s not enough of a disincentive. And seeing some perp walks by execs might get their counterparts at other companies thinking that maybe data security should be a top priority.

    • Ludicrous.

      All that would do is ensure that some percentage of executives would be in jail at any given time. It would also ensure that some pretty good talent would just avoid the field. I can’t think of one person who would have done their job differently because they knew that some executives got locked up for a breach. They might have found other work, but they wouldn’t have done this work better.

      It might create funding, but that doesn’t solve the problem. It bandaids it a little longer. A hacker can invest $1000, make $1M, and cost a company $1B. You can’t fix that equation by dumping money on the billion dollar end.

      It astounds my how quickly people say to lock up other persons who were only doing their job, just like you and I do. Why the heck wouldn’t you instead talk about the fact the the actual criminal on the other end of the equation is going to walk free, significantly richer? That’s where you could actually positively effect this situation by throwing someone in jail. There is currently very little risk for this type of criminal, and huge potential gain. It’s obvious why they do it. Start there.

      • Several years ago I interviewed with a former CISO who had testified before Congress urging the personal consequences now associated with HIPAA. Ironically, the advent of personal consequences made *him* re-assess his own career path – and he bailed out.
        You can’t legislate competence, any more than you can legislate morality.

    • This fails the logic test, and I hate hearing it. All this would accomplish is ensuring that some percentage of US executives were in prison at any point in time.

      And don’t tell me it would make them spend more money on security. Even if it would (temporary) that wouldn’t fix the problem.

      Why would you recommend jail time for the people who are just trying to do a job before you’d ask why the actual criminals (thieves, trespassers) aren’t getting locked up?

    • It’s a battlefield out there. Wouldn’t make sense to put your own men in the brig unless gross negligence is uncovered.

  22. Is there somewhere I can just send all my personal information, to get this over with?

  23. on the positive side, I have many years of free monitoring services.

  24. Seems to me that what’s needed is 1] required, timely and detailed full disclosure and transparency from companies regarding attacks and hacks 2] regular, required routine anti-social engineering training for all employees and 3] new, innovative, evolving open source security measures to curtail attacks.

  25. William Guilherme

    I am hearing and reading a lot of security professionals saying that “Marriott uses a crappy email security system”.
    How in the world, people are jumping to such conclusion, if there are no details about the actual threat vector yet?
    This is the main problem of our field “Speculation”.

  26. data protection laws

    Brian are you still opposed to data protection laws? Mariott is by law now in big trouble, since they did not protect the personal data of milions of European customers but also did not care to report it to the appropriate authorities in a timely manner. Mariott now faces huge fines for this in all European countries. Companies just do not protect other peoples data out of their own because there is always someone opposed to protection personal data for their own gain and profit.

    • I’ve read they are arguing for an exemption (possibly with just reason based on how the GDPR was written, as it relates to fines) on the grounds that the breach was 4 years old, and superceded the GDPRs active date.

  27. This is a case where Blockchain Technology like Digibyte can help make a difference. No such thing has 100% secure. The deterrent is to make the data useless if it’s taking from your network

  28. 4 years, wow you have to at least try and protect your customers. In this case I have to wonder is anyone minding the security aspect of the company? As any customer doing online business, you should probably accept the fact that your vulnerable and to take actions to protect yourself. Even if you have legal options against a company, the litigations will take years and even the GDPR might not have real teeth to litigate strongly enough. The bad guys have ruined yet another convenience for consumers, the web.

Leave a comment