Major Cyber Attack at Marriott affects Millions of Clients
Security experts have expressed concerns following news of a data breach which affects the Marriott Hotel chain. There are fears that the data, stolen from clients who have stayed with the brand of luxury hotels over the last four years, could be used for burglary, espionage or other crimes. The attack would affect any reservations on or before September 10 thisyear, when cybersecurity experts discovered the breach. Marriott’s sharesslumped significantly following the news.
Marriott itself has been unclear about the extent of the violation or what decisive action it will take to help victims other than first help through a customer support website and phone line. Many questions have been raised, but amongst the most urgent to answer are how many people have had their credit card information stolen and whether the company will offer any additional compensation. The hotel group will now be subject to several international investigations that will result in lawsuits. They also be prepared with lawsuits to defend customers and reputational damage which will make its effects felt long after the dust has settled from the news.
It is thought that as many as 500 million Marriott clients could be affected. Hackers stole data including passport numbers, credit and debit card numbers and personal details relating to their stay. It is not clear how many people have been affected by the credit card information breach. It is highly possible that the travel details of government officials, including the location and date of travel, have also been taken.
This has been highly common in recent years and is thought to be one way for nation-states to track the movements of diplomats and other people of interest to espionage agencies. Unconfirmed reports suggest that China could be behind the attack. If this were proven, it could markfurther diplomatic tensions between the US and China. Even the suggestion thatChina is behind the idea could be diplomatically provocative as governments andMarriott search for answers and potential explanations for this seriousincident.
The crisis could now be considered as one of the largest ever recorded. It would also prove that the attack was made to gain access to personal data rather than financial gain. Another notable hack occurred in the US in 2013, when a Target breach affected 41 million credit card users and made contact information for more than 60 million guests available. The internet company Yahoo suffered two major attacks in 2014 and 2016 which affected over 3 billion users. In 2017, the credit company Equifax also suffered a data hack. The hotel company Hilton also suffered from data breaches in 2014 and 2015 respectively.
Academic specialists in cybersecurity raised concerns that this attack was more advanced than merely stealing credit cardinformation. The personal information obtained about a person’s stay at a hotelcould be used for identity fraud or incrimination. If, as feared, the hackersare from a nation-state, gaining access to the reservation system could be moretroubling. There are suspicions that there could be links to other recentattacks on American organization such as the US Office of Personnel Management.
It will be difficult to identify the hackers because the tools are widely available and so there was no firm evidence to confirm that China could be the culprit. It is also believed that there are several groupsinvolved, a likelihood is given that the breach began in 2014 — the incident highlight yet again that companies are perhaps not doing enough to prioritizethe safety of the personal data they hold for business reasons. There have nowbeen several calls for this to be changed urgently to prevent such an incidentfrom happening again.
The data held at hotels is highly extensive and could be used for home burglaries in the future, experts warned. Other information, such as planned future journeys, could be taken advantage of to break into empty homes. The hack raises questions about the amount of data that hotel companies maintain and whether this should be limited to include only the most necessary information to prioritize the safety of the customer.
Some affected hotel brands were run by Starwood and included Sheraton, St Regis, The Luxury Collection, Le Meridien, Westin, Element, Aloft, Four Points and W Hotels among many others. Starwood also has unbranded timeshare properties which are affected, while Marriott branded chains are not included. Emails have now been sent out to those affected toexplain the situation.
Experts are still establishing the full extent of the attack. It is unclear whether data from multiple stays by the same person could be affected. It is also unknown precisely what hackers could do with the credit card information. Despite additional security checks, it is possible that hackers can gain the necessary knowledge from the encrypted codes to descramble the numbers and put the credit card to full use.
Security analysts are concerned about the length of the breach. While some attacks last several months, it is uncommon that a hack canlast for four years, they explained. The security breach continued during themerger between Marriott and Starwood in 2016. A further point of theinvestigation is to discover how this could occur and determine the full extentof the hack. The length of the breach suggests once again that it was carriedout to steal personal data rather than financial information.
So far, it is thought that two-thirds of the victims of the hack have had key details such as email addresses, phone numbers, passport numbers, and postal addresses were stolen. The database is thought to havecontained the details of up to 500 million customers. It is also possible thatthe hacked features
Marriott has now established a website and call center phone number for clients who believe that they have been affected. Marriott has warned customers to be aware of any suspicious transactions and or mass emails from scammers who claim to be from the Marriott Group. It has made clear that it would never send emails with attachments or request any details from customers over email.
For customers in countries such as the US or Canada, the company is offering a free subscription for a year for a programme called Website catchers to alert people if their information is being sold online. This will expire after only a year and is unlikely to be helpful given that there is a widespread assumption the hack was carried out to obtain personal data rather than financial information. This would appear to back up suspicions that China could be the culprit behind the attack.
It is unclear whether details such as passport numbers have been affected. In the past, this has occurred in hacks. In October this year, the Hong Kong-based airline Cathay Airlines suffered from a hack which affected over 9 million people and amongst the data stolen were passport numbers. However, one advantage is that they must usually be seen in person to be used as valid identification. In the end, it is a document with several security features to prevent identity fraud. A credit card, meanwhile, can easily be canceled and a new one can be issued in only a few days.
Starwood announced a merger with Marriott in 2016 at a time when it had 21 million people on its loyalty programme. The company runs over 6700 properties, most of which are based in the US. The merger is thought to have created the largest hospitality and hotel brand in the world. The hospitality branch is typically a common target for attacks due to the prevalence of databases containing large amounts of personal data. Since the merger, there have been several technical problems in merging the computer systems. The hack raises serious questions about the safety and security of data systems during company mergers, especially on the scale of that between Marriott and Starwood.
There was a problem with the system integration which involved customer data, and it is now clear that no security audit was carried out during the merger operation. Poor communication and a lack of focus on security are likely to be partially to blame for the extent of the hack Marriott have suffered. The merger serves as an example to companies that IT mergers should not be carried out without considering how personal data can be safeguarded.
Security experts warn that other data could be more damaging than passport numbers, such as personal information including name, date of birth and addresses. They believe this information could be used to open fraudulent bank accounts and commit additional crimes. Again, clients of Marriott and Starwood have been warned to be vigilant against phishing, scam emails, and other attempts by people claiming to be from the company to obtain any missing information the hackers would need to carry out transactions.
Overall, experts disagree over how much damage could be done from taking passport numbers and will surely continue to do so until the exact numbers are known. Marriott has until now refused to speculate on the numbers but has assured that the numbers would be very low.
In September there was a security warning about an internal data breach, but at the time the company was unable to determine the full extent of the scandal until last week. International data regulators are now investigating. It may be the case that Marriott is found guilty of due negligence and fined a large amount of money as a consequence. The hack raises serious questions about Marriott’s ability to keep customer data safe and act swiftly despite knowing about the scandal for some time.
It certainly breaches the high standards and values which they promote within their brand to their customers. The Federal Bureau of Investigation and other data authorities are aware of the incident and have begun to investigate. Also, though it is too early to tell, the company may have lost the trust of its customers in joining the loyalty programme. The episode is likely to have long-term financial implications and will inevitably cause damage to the long-established international reputation of the company.
Marriott has announced that it is difficult to say how the hack will affect the company financially. However, the company does have cyber insurance, and it is collaborating with the insurers to determine the damage caused and any potential coverage that it could provide. Regarding fines, these depend on the territory. In Europe, the company would be subject to regulation under the GDPR, which would fine 4% of annual turnover for data breaches.
In the US, New York’s attorney general and legislators in the House of Representatives have announced an investigation. Security experts have predicted a large fine based on the size of the breach. Several lawsuits have now been filed to protect customers who have been affected. Some figures in politics have called on the company to act swiftly to minimize the damage of the hack on customers, as well as pay any incurring charges such as passport renewals.
It is clear that action is necessary to limit and prevent this kind of incidents from happening in the future. Some lawmakers have also called for stronger laws to tackle data breaches or any such violations and ensure that companies only hold the data that they may need
For now, millions of customers have been left worried about the security of their data, and crucially, whether they can even trust large companies to hold their data securely. This feeling of uncertainty is probably not limited to customers of the Marriott hotel group. It will take some time for consumers to regain their trust in large multinational companies and their ability to keep their data safe. Security of personal information is crucial and a right concern in the digital age.