Early Friday morning, the hotel behemoth Marriott announced a massive hack that impacts as many as 500 million customers who made a reservation at a Starwood hotel. Marriott acquired the Starwood hospitality group in September 2016, which operates numerous hotel brands including Sheraton, Westin, Aloft, and W Hotels. But the intrusion that caused the enormous data breach predates Marriott’s acquisition, beginning in 2014.
Marriott says it is cooperating with law enforcement and regulators in investigating the hack, and the company hasn’t finalized the number of people impacted. It currently seems that about 170 million Marriott customers only had their names and basic information like address or email address stolen. But the bulk of the victims—currently thought to be 327 million people—had different combinations of name, address, phone number, email address, date of birth, gender, trip and reservation information, passport number, and Starwood Preferred Guest account information all stolen.
“Four years is an eternity when it comes to breaches.”
David Kennedy, TrustedSec
Some credit card numbers were also stolen as part of the breach, Marriott says, but the company did not provide an initial estimate of how many were taken. The credit card numbers were encrypted with the algorithm AES-128—a reasonably robust choice—but Marriott says the attackers may have also compromised the decryption keys needed to unlock the data.
All in all, it’s not a great situation.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and CEO said in a statement on Friday. “We are doing everything we can to support our guests. … We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
A Historic Breach
Breach response experts told WIRED on Friday that the sheer amount of time the attackers had inside the system—four years in all—likely made the breach much worse than it otherwise might have been. Time gives attackers the ability to chip away at defenses, or simply learn more about a system to understand where the valuable data is. Even with encrypted data, like the credit card numbers in this case, an attacker with enough access could steal the decryption keys, or swipe sensitive data before it ever has a chance to be encrypted in the first place. Either scenario seems possible, given the details Marriott has released so far.
“It’s all about key management and doing encryption in the places where an attacker might be,” says Johns Hopkins cryptographer Matthew Green. “There’s no point in locking the gates if the bad guy is already inside.”
Meanwhile, the attackers also had ample time to encrypt the stolen data as part of their exfiltration strategy. Hackers often use encryption as a tool to mask data and sneak it past a network’s “data loss prevention” defenses, which monitor for sensitive data in transit.
Marriott says a digital security tool flagged suspicious attempted access to its United States Starwood guest reservation database on September 8 of this year. The company investigated, and seems to have blocked attacker access by September 10, because it says that no customer data was stolen after that date. But Marriott also says its initial investigation didn’t definitively identify the scope of the problem until more than two months later, on November 19.
Marriott says its own digital systems were not affected, only the Starwood side. Some penetration testers and network breach responders speculated to WIRED on Friday that Marriott’s acquisition of Starwood may have played a role in delaying detection if the companies were distracted by the larger topic of brokering the deal.
“It’s not clear whether the attacker already had access through Starwood before the merger, or whether Marriott had a copy of the database for evaluation purposes and due diligence and lost control of it there,” says Jake Williams, founder of the penetration testing and incident response firm Rendition Infosec. “I can’t believe that the merger wasn’t a contributing factor in the breach.”
What You Can Do
Beginning Friday, Marriott is rolling out batches of notification emails to impacted customers. It has also established a call center and breach notification website, you can’t use it to look up whether your information was stolen, or how much of it. Marriott seems to be erring on the side of assuming that every Starwoods customer has been impacted. “If you made a reservation on or before September 10, 2018 at a Starwood property, information you provided may have been involved,” the company’s breach response page reads.
“They’ll undoubtedly find a way to maliciously use every piece of data they collect.”
Crane Hassold, Agari
The company is also offering enrollment in the identity monitoring service WebWatcher for one year to anyone who thinks they were impacted by the four-year network intrusion. You can sign up now. The service alerts you if your information crops up online, including on the dark web. Enrollment also includes a reimbursement benefit for expenses related to fraud and identify theft, and unlimited consultation with identity theft specialists at the corporate incident response firm Kroll. The services are available to people in the US, Canada, and United Kingdom.
If you’ve stayed at an SPG hotel in the last few years, the standard advice applies: Enroll in the free monitoring, change your SPG password—and on any other account where you might have reused it—and watch your finances for suspicious activity.
The Marriott breach does have a slightly less common, though not unheard of, component of exposing hundreds of millions of passport numbers. These can be used to make counterfeit passports, a classic black market industry. But they can also be combined with other personal details about someone, like the data points stolen in the Marriott breach, to bolster traditional online fraud and abuse. And passport numbers lend an air of legitimacy to other information like name, address, date of birth, and email, potentially allowing scammers to open bank or credit card accounts in victims’ names.
Crane Hassold, senior director of threat research at the phishing defense firm Agari, points out that passport numbers can also be used to track someone’s movements. For example, US Customs and Border Protection offers a public database for tracking your travel history. Someone with your information, particularly your passport number, can run the queries, too. US citizens can renew their passports at any time to receive a new passport number, applying by mail or in person at an approved State Department facility. If you are years away from a passport’s expiration, you may need to include a letter with the application about your reason for renewing early.
“The more information a scammer can collect on an individual the better for them,” Hassold says. “They’ll undoubtedly find a way to maliciously use every piece of data they collect.”
Marriott clearly learned from past corporate breach disclosure gaffes in responding to this incident with resources and information for victims. But it’s difficult to simply call it an “incident” when the attack played out over four years. Marriott spokesperson Connie Kim told WIRED that the company’s investigation is ongoing, and it doesn’t have definite answers yet about how the attackers initially got onto the Starwood network, or how the activity went undetected for for so long.
“They are still investigating this heavily and don’t know to what extent attackers had access—this could turn out to be much, much larger,” says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. “Four years is an eternity when it comes to breaches. If attackers had access for that long I would assume they had access to virtually everything.” He added, laughing, “I know I would.”