U.S. government investigators increasingly believe that Chinese state hackers were most likely responsible for the massive intrusion reported last month into Marriott’s Starwood chain hotel reservation system, a breach that exposed the private information and travel details of as many as 500 million people, according to two people briefed on the government investigation.
These people cautioned that the investigation has not been completed, so definitive conclusions cannot be drawn. But the sweep and tactics of the hack, which took place over four years before being discovered, prompted immediate speculation that it was carried out by a national government.
Preliminary indications show the breach was executed by hackers affiliated with the Chinese Ministry of State Security, said the people, who spoke on the condition of anonymity to reveal information not yet ready for public release. The MSS, an intelligence and security agency, has been behind many Chinese government intrusions into sensitive U.S. networks in recent years.
Some U.S. intelligence officials believe that the breach was conducted to enrich the massive Chinese data sets on U.S. and other citizens that have been amassed for years, the people said. Such breaches include the 2015 Office of Personnel Management intrusion, which compromised personal data of more than 20 million government employees, family members and applicants, and also information collected during Chinese breaches of health-care institutions such as Anthem and CareFirst.
The FBI and other intelligence agencies declined to comment.
The New York Times first reported that investigators believe the attackers were likely to be the work of a Chinese state intelligence service.
The Marriott breach exposed an unusually broad array of data, including names, addresses, phone numbers, passport numbers and credit card numbers, as well as information on where people traveled and with whom.
Such information would be valuable not just to criminals seeking to commit identity fraud but also intelligence agencies seeking to build dossiers and track movements of diplomats, spies, military personnel, business executives and journalists, according to several cybersecurity experts. Armed with a rich array of personal data, an intelligence agency can also tailor an approach to a person to see whether the individual can be recruited as a spy or blackmailed for information. The passport data, which is not often collected in data breaches, probably was a particularly valuable find for the hackers.
The people familiar with the investigation said the Marriott breach involved the same cloud-hosting space that Chinese state hackers have used in the past, and that one signature technique that involved hopping among servers also points to Chinese involvement. Another clue suggesting nation-state involvement was that none of the breached data has appeared on the “dark Web” or any of the forums that criminals typically use to sell stolen credentials and other valuable personal data.
"If it were a criminal act, people would be trying to sell it,” said one of the people familiar with the investigation.
The breach of the reservation system for Marriott’s Starwood subsidiaries was one of the largest in history, affecting travelers at the hotel chains St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points and W from 2014 onward, according to a Marriott news release last month.
Marriott acquired Starwood in 2016 and kept the reservation databases separate from its own until recently. The reservation system of Marriott hotels themselves was not affected by the breach. The Bethesda, Md.-based company has more than 6,700 properties around the world.
An internal security tool flagged the possible breach on Sept. 8 and later discovered that the hackers had accessed customer information and attempted to remove it in encrypted form, the company said. Marriott was able to decrypt the information and understand the extent of the breach only in November, it said.
Marriott on Tuesday reiterated its previous comment on the data breach, saying in a statement: “Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests. We have no information about the cause of this incident, and we have not speculated about the identity of the attacker.”
China’s Foreign Ministry declined to comment Wednesday. But a spokesman last week said that “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law.”
“If offered evidence, the relevant Chinese departments will carry out investigations according to the law. We firmly object to making groundless accusations on the issue of cybersecurity,” spokesman Geng Shuang said at a press briefing when asked about the Marriott allegations.
News of the breach prompted announcements of investigations by several U.S. officials, including New York Attorney General Barbara Underwood (D), Maryland Attorney General Brian E. Frosh (D) and Pennsylvania Attorney General Josh Shapiro (D). Several members of Congress also publicly demanded answers.
Privacy advocates long have warned that travel data can provide remarkably precise insights into the lifestyles, tastes and personal relationships of individuals, but the travel industry has lagged behind others, such as banking, in securing information against hackers.
Taylor Telford and Anna Fifeld in Beijing contributed to this report.