The breach of the reservation system for Marriott’s Starwood subsidiaries was one of the largest in history, after two record-setting Yahoo hacks, and was particularly troubling for the nature of the data that apparently was stolen, security experts said. That includes familiar information — such as names, addresses, credit card numbers and phone numbers — and also rarer prizes for hackers, such as passport numbers, travel locations and arrival and departure dates.
The potential value of such information on such a large percentage of the world’s travelers triggered speculation that Marriott may have been the target of nation-state hackers seeking to track the movements of diplomats, spies, military officials and business executives. Yet even if the hackers were mere criminals in search of profit, such data offered the raw material for a range of possible misdeeds, including identity theft.
“This is extraordinarily intimate data,” said Edward Hasbrouck, a San Francisco-based travel writer and consumer advocate who has long warned about the sensitivity and poor security of computerized travel records. “The travel industry has been grossly negligent compared to many industries when it comes to data privacy and security.”
An unauthorized party accessed the reservation database of Starwood properties — which includes hotel chains St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points and W Hotels — from 2014 onward, according to a Marriott news release. It acquired Starwood in 2016 and kept the reservation databases separate from its own until recently. The reservation system of Marriott hotels themselves were not affected by the breach reported Friday.
“We deeply regret this incident happened,” Arne M. Sorenson, Marriott’s chief executive, said in the news release. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott International is based in Bethesda, Md., and has more than 6,700 properties around the world. The company’s shares were down nearly 6 percent Friday.
An internal security tool flagged the unauthorized party’s activity on September 8. Marriott then discovered that the hackers had accessed the information, encrypted it and attempted to remove it. It took Marriott until late November to decrypt the information.
“It’s not just that it’s been continuing for four years, but that there were significant opportunities for higher scrutiny,” said Paige Boshell, an attorney with Alabama-based Privacy Counsel LLC who advises on cyber risk management and response.
The news release specified that the company used encryption to protect credit card numbers. But Connie Kim, a Marriott spokeswoman, declined to comment on whether other personally identifiable information — including names, addresses, phone numbers, email addresses and passport numbers — was protected in this way, as security experts recommend.
The company acknowledged, however, a possible failing in the encryption security it had for credit card numbers, saying that it could not “rule out the possibility” that encryption keys were taken by hackers, allowing access to troves of valuable payment data. The most secure systems lock up data with encryption keys and also make sure those keys are stored safely.
“The fact that they can’t rule out that the keys were taken sounds like a problem," said Matthew D. Green, a Johns Hopkins University cryptographer.
It’s not the first time Starwood has been hacked. In 2015, Starwood, along with other luxury hotel brands such as Trump Hotels and Mandarin Oriental, fell prey to credit card breaches. Malware aimed at stealing credit and debit card information was found on payment systems at restaurants and stores in 54 Starwood hotels in North America, according to a 2016 online letter from company president Sergio D. Rivera. That breach happened just days after the Marriott acquisition was announced.
Cybersecurity experts on Friday debated whether the hackers likely were criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide. Hotel chains, with their vast customer databases and proprietary WiFi networks, can make appealing targets.
“We know that the hospitality business is a very attractive target for nation-states," said Thomas Rid, a political science professor at the Johns Hopkins School of Advanced International Studies who specializes in cybersecurity issues. "You can more easily hack some high-value targets from within a hotel WiFi.”
The presence of passport numbers in data accessed by hackers is unusual for even a large breach, but such information is routinely collected by hotels in many countries, especially from international travelers. A passport number is not enough, by itself, to make a credible fake passport that could fool border agents or other government security officials, but it’s yet another piece of useful data for a criminal attempting identity theft.
The U.S. State Department issued a statement following reports of the breach Friday, “We are aware that some individuals’ passport numbers may have been disclosed, but would like to emphasize that none of the U.S. Department of State’s records or IT systems connect to Marriott’s records or systems. No one can access the Department’s records or obtain copies of a U.S. citizen’s records by using a passport number.”
Large amounts of travel data went online several decades ago, long before many other kinds of sensitive records, through computerized airline ticketing and hotel reservation systems, but the travel industry has lagged behind some others in adopting advanced forms of security, privacy advocates say.
Health and some other categories of information are singled out for specific protections under federal law. But travel data is not, even though it can paint a precise picture of a person’s movements, lifestyle and relationships — down to whether two people traveling together choose one bed or two as they travel. Reservation systems also can provide advanced notice of where somebody is traveling, which could provide crucial political, military or business intelligence.
Security expert Matt Tait, a former British intelligence officer, said it was unclear whether the hackers were spies or mere criminals, though he suspected Marriott was a victim of a nation-state attack because the access lasted for so long without triggering suspicion.
“Nation-states are happy to watch and use the information very passively while criminals want to turn it into cash,” said Tait, a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin.
Gary Leff, author of the View From the Wing blog, said that there have been numerous hacks in recent years in the travel industry and that information from rewards programs regularly gets bought and sold by criminals online. He expressed skepticism that the Starwood reservation system hack came from a foreign intelligence service.
“I don’t think it necessarily would have taken a nation-state to crack into Starwood IT,” said Leff.
Government officials on Friday called for stricter enforcement in consumer data privacy. New York Attorney General Barbara Underwood, Maryland Attorney General Brian Frosh and Pennsylvania Attorney General Josh Shapiro all said their offices had opened investigations into the Marriott breach.
We’ve opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected.— NY AG Underwood (@NewYorkStateAG) November 30, 2018
“Checking in to a hotel should not mean checking out of privacy and security protections,” said Sen. Edward J. Markey (D-Mass.), a member of the Commerce, Science and Transportation Committee. “Preventing massive data breaches isn’t just about protecting privacy, it’s also about protecting our pocketbooks. Breaches like this can lead to identity theft and crippling financial fraud. They are a black cloud hanging over the United States’ bright economic horizon.”
The Federal Trade Commission, which oversees the cybersecurity standards of companies, is likely to investigate the Marriott breach, said David C. Vladeck, former director of the FTC’s Bureau of Consumer Protection and now a Georgetown Law professor. The FTC declined to comment.
“My assumption would be this is something that the FTC would take a very serious look at,” Vladeck said. “This is a massive breach. It’s half a billion people.”
In a filing reporting the breach to the Securities and Exchange Commission, Marriott said that while it was too early to estimate the financial impact of the breach on the company, it didn’t anticipate it would effect Marriott’s “long-term financial health.”
The hotel chain has set up a website and call center to answer questions at info.starwood.com, and said it is emailing affected guests beginning Friday.
Tony Romm contributed to this report.