Marriott’s data breach, the second-biggest in history

Over 500 million consumers have had their personal data exposed to cyber-criminals as Marriott announced a breach of its Starwood booking database on Friday.

The number of affected customers makes this the second biggest data breach in history; the unenviable position of experiencing the biggest breach goes to Yahoo when its 3 billion accounts were compromised.

How did the hack occur?

The company says unauthorised people have been able to access the database since 2014 in an additional worrying twist to the tale. Only bookings for properties under Marriott’s 2016 acquisition Starwood, and not Marriott-branded hotels, were affected as the data was held on a different database.

Marriott had protected its database of financial information with encryption, a method explicitly recommended in the GDPR, but couldn’t guarantee that hackers didn’t have access to the key that decrypts that data and makes it readable, according to a statement issued by the chain.

In addition to names, addresses and contact information, hackers may have also accessed payment information, which could be used to make purchases, and passport details, which could lead to convincing identity fraud. A Marriott press release states that no more than 327 million customers could have possibly had financial information or additional details like passport numbers exposed.

How much could this cost Marriott?

Multiple class-action lawsuits have already been filed against Marriott, with one seeking $12.5 billion in damages – equating to around $25 for each affected customer. Shares fell by 5.7% on the afternoon of the attack, while US Senator Charles Schumer argued that Marriott should pay for replacement passports for affected customers.

In addition, Marriott is offering a free one-year subscription to WebCatcher, a service that monitors websites where stolen information is shared, and US customers are eligible for reimbursements for legal expenses related to identity theft and a consultation with a fraud specialist. There’s no doubt that this breach will cost an exponential amount for the biggest hotel chain in the world.

What if I’ve been affected?

The first step is to check the email address registered to your Marriott booking; Marriott has contacted all affected customers who registered an email address. If you didn’t register an email address with the firm, you’ve forgotten which email address is registered or you no longer have access to it, call the hotline dedicated to dealing with this data breach.

Identity theft is a real threat with this attack. Names and addresses combined with passport details and dates of birth could be combined to take out a number of financial services, like loans or opening up new bank accounts, in your name. Additionally, fake passports could be created based on your passport number. The Economic Times has recommended that customers who may be at risk keep a close eye on their financials and credit reports, looking out for suspicious behaviour.

This breach is a little different to many high-profile breaches of late like Ticketmaster, Uber or the infamous Yahoo breach. Due to the nature of Marriott’s business as a hotel provider, hackers could potentially break into your home if your address was breached, because they’ll know when you’re away. It’s probably the first time that reputable outlets including The Economic Times and LegalShield have recommended this as a result of a digital data breach, but they’ve advised you to consider a house-sitter or additional home security measures if you’ve booked a future trip.

Changing the password to your Marriott account is also recommended, and if you’ve used that password for other logins, change that too. Using a reputable password manager can help you manage multiple complex passwords and generate difficult-to-crack passwords for you – I use LastPass. Our security expert Grant has written a blog on how to create your own uncrackable password – and it doesn’t necessarily involve complex characters…

Finally, be vigilant when it comes to actioning emails purporting to be from Marriott. It’s a standard tactic of hackers to send targeted phishing campaigns to the victims of a data breach, posing as the company that experienced the breach. Marriott has advised that it will not send any attachments with its emails, nor will it request personal information via email, so if you receive an email with any of these red flags, delete it immediately and call Marriot instead.

How can I protect my business?

Marriott used industry-standard AES-128 encryption to protect the financial information of its customers, which will be a point in its favour under the GDPR. However, security experts have warned that the company could have discovered and prevented the breach much earlier, with some believing it was related to the smaller breach Starwood experienced in 2015, in which malware was installed on point-of-sale systems to collect credit card information. A more thorough investigation into this breach may have uncovered the attacker lurking in the systems, the experts say.

It’s unclear how this attack went undetected for so long, given that Marriott first discovered it due to a security alert on 8th September, but it highlights how important it is to test your cybersecurity and ensure you’re monitoring your systems and databases regularly. The company’s November announcement could, however, land it in hot water with the ICO for breaching GDPR reporting regulations.

This attack also proves that one method of cybersecurity alone isn’t enough. Encryption is one of the most robust methods of protecting sensitive data, but as this attack shows, it’s not fool-proof if an intruder is already in your systems. A synchronised approach to security, which takes into account all possible entry points including your firewall or stolen credentials, will ensure that, if hackers get through one part of your defence, there are multiple other measures in place to stop them going any further.

For more information on how you can protect your business from data breaches, check out some of our previous blogs: