Yet Another Mega Hack to Add to the List

Hacks seem to be showing up in the news right and left. A hack is an intentional attack on a system to get access to private information that the attackers are not supposed to have access to. They can be carried out by a single person or a group of people. Some hacks require skill, and some not so much. The best route of action for cyber-attackers, though, is looking for weaknesses in systems so they can be exploited — a weakness resulting from human negligence. It’s information that is left unsecured enabling third parties to see it if they wanted to. What kind of data a hacker wants and what he or she wants to do with it will generally define who their lucky victim is going to be.

They happen more than you think

You’re correct in thinking you are hearing about these attacks all the time. In 2014 there were 4,000 cyber-attacks on businesses every day! And since then the rate of attacks have only been increasing. One reason why is companies are not yet taking these threats seriously. Privacy and security are just not a core value for many companies.

This time it’s Marriott

Yet another company in a long list to demonstrate their lack of care and attention to customer data is Marriott. You probably heard about it because it was all over the news — as things like these are. But just in case, Marriott’s Starwood guest reservation database was hacked (note: Hotels with the Marriott name were NOT affected. They were on a different network). For more reason than one it was a big hack. On September 8, 2018 Marriott discovered 500 million customers had their personal information compromised. They didn’t announce the breach until November 20 — nearly two months later. To make matters worse for them (and everyone else, really), they determined the hack occurred back in 2014. (That’s 4 years after the fact for anyone who’s counting.)

This hack is the 2nd largest known hack to date. 2nd only to Yahoo’s which compromised 3 billion accounts. The next one down the list is AdultFriendFinder which had 412 million accounts compromised. Other known companies that we should be able to trust with our data have also been hacked in recent years. Think: Target, eBay, and Equifax.

The Marriott is one of the largest hotel chains in the world and includes hotel brands you know like W Hotels, St. Regis, Sheraton, Le Meridien, Four Points, and Westin. Starwood Hotels and Resorts was acquired by Marriott International in 2016 for $13 B. That deal was signed 2 years after the hack was initiated. This massive hack that was just discovered wasn’t their first hack, though. Cyber-attacks are pretty common, especially in the retail, restaurant, and hospitality spaces. Hacks are hard to control when they are occurring outside of a company’s networks, but careful attention and quick response time can sure mitigate potential damage.

Because the Marriott breach happened back in 2014 cybercriminals had access to data for 4 years, which makes the breach far worse than it could have been had it been stopped earlier. The old saying “time is money” is no joke. It takes an average of 206 days to stop an intrusion. Marriott took around 1,500 days, but who’s counting? All this time that the hackers had going undetected allowed them to understand the system better. They could have even had access to sensitive information before it was encrypted and then encrypted the data they were stealing to sneak it out of the system.

What data was accessed?

These hackers ended up accessing names, birthdates, addresses, locations, gender, email addresses, credit card information, Preferred Guest Account information, and passport information of 500 million Starwood Hotels customers. 170 million of those people seem to have just had their names and addresses accessed. But the other 327 million had as much as their passport numbers exposed. We know that the credit card numbers had been encrypted, but with the hackers having had access to the system for 4 years, who knows if they were able to access the decryption keys for those…

What’s the worst a breach like this can do?

Data breaches like these expose the affected people to identity theft, fraud, and other forms of harm. The fact that the hackers had access to passport numbers was unique and dangerous, though. Passport numbers can be used to create fake passports or open financial accounts. Additionally, they can be entered in the U.S. Customs and Border Protection’s public database to track travel history.

What Marriott is doing about it

Though a breach like this never should have happened, it shouldn’t have taken this long to be discovered, and it shouldn’t have taken them as long as it did to tell the authorities and the affected people, Marriott is providing some support. They have set up a call center to respond to any questions or concerns that their customers might have, they created a breach notification website with some information, and are sending emails to people who have been affected. Additionally, some access to paid services are being provided free of charge. Marriott customers who had their personal information compromised can have unlimited free consultations with identity theft specialists from Kroll, they get access to a free one-year subscription to WebWatcher (an identity monitoring service), and any expenses they face related to identity theft and fraud will be reimbursed. Unfortunately this doesn’t make up for any anxiety. Marriott will only pay the $110 for a new passport if it determines you were subject to fraud.

What you can do if you were a Starwood customer

There are some things you can do whether you stayed at a Starwood hotel in the past four years, or were the victim of a different cyber-attack. Doing these will ensure you have done everything possible to minimize risk to you:

• Check your bank and credit card accounts for actions you did not make
• Keep an eye on your credit score to make sure no one is taking a loan or new credit card out in your name
• Check your reward points account to make sure your points aren’t being used by someone other than you
• Apply for a new passport so your current passport number is invalidated
• Change your passwords for any account that had a similar password to your Starwood rewards account

Are there going to be any consequences for Marriott?

It’s a little early to say how Marriott is going to be affected by this hack. In fact, we may not know the full ramifications for quite a while. The New York Attorney General’s office will be looking into the breach, as well as the attorneys general for several other states. The new General Data Protection Regulation (GDPR) in the European Union could come into effect, but it is hard to say how. The GDPR has the world’s strongest data protection rules. It contains obligations for better data management and more right to the consumer on personal data that companies hold. The GDPR has only been in full effect since May of this year so it is unsure how this law will apply since the hack began prior to the GDPR being instated. The consequences of GDPR for qualifying instances do include fines of up to $22.7 M or 4% of annual global revenue, as well as the possibility of losing the ability to process personal data. Aside from federal regulations, Marriott is already facing multiple class action lawsuits saying that there was a significant breach of trust and that Marriott didn’t safeguard consumers’ sensitive information.

This is just speculation, but was the acquisition process a big distraction? Could this four-year wait have been avoided had there not been a acquisition going on? No matter what the reason, private consumer information is at risk with companies of any size. Companies need to start showing more care about the data they hold. With the risks in mind consumers need to take the appropriate measures to do what they can to compensate for the risks. This could mean controlling personal identity and who has access to it, on the blockchain.