This April 30, 2013 file photo shows a man working on a new Marriott sign in front of the former Peabody hotel in Little Rock, Arkansas. Marriott says information from up to 500 million guests in Starwood hotels is at risk. | Associated Press File Photo by Danny Johnston, St. George News
NEW YORK (AP) ̵
Hackers stole more than 500 million hotel guests over four years and received credit card and passport numbers and other personal information, Marriot said Friday.
It's one of the biggest data breaches in history. By comparison, the Equifax hack hit more than 145 million people last year. A breach of target in 2013 affected more than 41 million payment card accounts and disclosed contact information for more than 60 million customers.
But the goal here – hotels where high-stakes businesses, romantic trysts and espionage are the daily currency – makes the data particularly sensitive.
The reservation system concerned could be extremely tempting for national spies interested in traveling by military and senior government officials, said Jesse Varsalone, Cybersecurity expert at the University of Maryland.
So many things you can extrapolate from people staying in hotels, "he said.
And since the data contained reservations for future stays as well as home addresses, burglars might find out when someone is away from home, said Scott Grissom of LegalShield, a provider of legal services.
Affected hotel brands were operated by Starwood prior to their acquisition by Marriott in 2016. These include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, the Luxury Collection, Le Méridien and Four Points. The timeshare properties of the Starwood brand were also affected. None of the Marriott brand chains was threatened.
Email alerts for those affected began to roll on Friday, and the extent of the breach was not immediately clear.
Marriott tried to find out if The Discarded Records contained duplicates, such as a single person who was staying several times.
Security analysts were particularly alarmed when they learned of the undiscovered longevity of the infringement. Marriott said it was first discovered on September 8, but it was only last week that it was able to determine what data might have been exposed as the thieves used encryption to remove the information to avoid discovery.
Marriott said it still did not know how many credit card numbers might have been stolen. A spokeswoman said on Saturday that she was not yet able to answer questions, such as whether the intruder and the data theft were committed by one or more groups.
Andrei Barysevich of Recorded Future said he believes the infringement is financially motivated
A cybercrime expert on credit card thefts such as the Eastern European group Fin7 could be a suspect. He said that a dark Internet credit card company had recently announced that 2.6 million cards stolen by an unnamed hotel chain would soon be available to the criminal online underworld.
"We will have to wait for an official forensic report, although Marriott may never openly share his findings," Barysevich said.
Marriott told the stolen credit card The information was encrypted, but the hackers may have received the "two components necessary to decrypt the payment card numbers." They said that "the possibility could not be ruled out that both were taken".
For up to two-thirds of data subjects The disclosed data may include postal addresses, telephone numbers, e-mail addresses and passport numbers. Include birth dates, gender, reservation dates, arrival and departure times, and information about the Starwood Preferred Guest account.
Marriott may violate the new European privacy laws in the event of personal data breaches, as guests have also included travelers from Europe.
Marriott Establish a website and call center for customers who consider themselves in danger.
The FBI would not say whether it is conducting an investigation, but said in a statement that anyone contacted by Marriott "should take steps to monitor and secure his personally identifiable information and any alleged identity theft to the FBI Internet Crime Report Complaint Center at www.ic3.gov. "
Passport numbers were previously part of a hack, although this is not common practice. They were among the records of 9.4 million passengers of the Hong Kong-based airline Cathay Pacific, which had been obtained at a breach announced in October.
In conjunction with names, addresses, and other personal information, passport numbers are more of a problem than stolen credit card numbers because fraudsters could use them to open fraudulent accounts, analyst Ted Rossman said from CreditCards.com.
Data releases show how dangerous hotels can be to people who care about their privacy.
"Hotels have long been important government sources of local information on the persecution of foreigners: reservation systems and loyalty programs have made surveillance global and made it easier for us to give up our privacy," said Colin Bastable, CEO of Lucy Security.
The intelligence services In the US, the global travel industry is firmly anchored "in a fair way or through bad attacks." Cybercriminals who are not cybercriminals now have the same hacking tools.
"Consumers have become collateral damage," Bastable said are all consumers. "He advises to provide hotels with as little information as possible at the time of reservation and check-in.
Last year, cybersecurity firm FireEye highlighted the efforts Russian state agents allegedly attempted to endure Reservation systems to infiltrate hotels in Europe and the Middle East.
As The acquisition of Marriot was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties around the world, most of them in North America.
The Marriott, based in Bethesda, Maryland, said in an admission file, it was still too early to determine the financial impact of the injury . She said she has cyber insurance and is working with her operators to determine coverage.
Elected officials quickly called for action.
Virginia Sen. Mark Warner said the US needed laws that restrict the data companies can collect from customers and ensure that companies pay the security costs rather than "burdening consumers with the burdens and damages caused by these failures." ".
Written by MICHELLE CHAPMAN, MAE ANDERSON and FRANK BAJAK, Associated Press.
news @ stgnews.com
Copyright 2018 The Associated Press. All rights reserved. This material may not be published, transmitted, rewritten or redistributed.