Marriott hack involves 500 million Starwood quests' data

Marriot announces a data breach that involves around 500 million Starwood customers

Marriott revealed that a hacker has exposed details such as birth dates, passport numbers, and so on, of 500 million users.

Marriott International Inc.^[1] has recently disclosed suffering from mysterious access to its Starwood clients' database.^[2] It is known that hackers accessed such information in 2014 and continued doing that for an unknown period. As a result, over 500 million customers have become the victims of the data breach which is considered to be enormous, leaving Equifax, Under Armour, eBay and many other companies behind.

A report claims that the data breach touched only the information related to Starwood's reservations because this system is kept separate from others. However, it involves numerous customers, including 170 million customers who lost their basic information (email address, physical address) and 327 million customers who had their name, address, email address, date of birth, phone number, passport number, and similar details stolen.

Needed changes are implemented right after the hack was discovered

Cybersecurity experts received an alert about the database breach on September 8, 2018, when the company was warned about an attempt to access the company's database. The results revealed that the hackers could be accessing the systems since 2014.^[3]

It seems that the data exposure involves only those customers who booked a reservation before September 10 or exactly on that day. Besides, the attackers also managed to encrypt payment card information by using a unique encryption algorithm – AES-128 – and also compromised the decryption keys. If this type of activity might have turned out to be successful, cybercriminals might have been able to misuse credit card information for illegitimate purposes.^[4]

Marriot is working hard to make this situation less dangerous. According to Mr. Sorenson, the Chief Executive Officer of Marriott International, they have already set a dedicated website and have implemented the following security precautions:

We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network

The company has already taken actions to inform all victims about their email addresses, and credit card data being exposed by hackers.^[5] Furthermore, the company has urged people to stay careful and note that all valuable and true information from the company comes only from this email address: starwoodhotels@email-marriott.com.

The situation is even worse because of the encryption

Marriott has also discovered that an unknown hacker managed not only to access the information but has also encrypted it! Moreover, such data has been copied and attempted to for the removal from the system. Gladly, the Marriott organization was able to take actions against this unwanted activity. The firm identified the location from where the information was coming and is trying to initiate the decryption:

On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

Data breaches are widespread nowadays, and we all need to learn techniques that could let us avoid unwanted data exposure. First, you should always be very careful while registering a new account. Make sure that all information you enter is essential and try to provide as less personal details as possible.

Moreover, you can use a two-factor authentication technique^[6] which makes it harder for hackers to break through the account's security system. Even though these steps do not guarantee 100% online safety, they still will increase your account's protection and make it less vulnerable to data breach attacks.