The Marriott hack: what we know so far

Last Friday, November 30, 2018, Marriott International, Inc. (“Marriott”) disclosed a data breach impacting up to 500 million guests who stayed at its Starwood properties across the globe. The breach centered on the Starwood guest reservation database, which holds information such as mailing addresses, e-mail addresses, payment card data, passport numbers and arrival and departure dates.

This breach is different from others because of the variety of data accessed

While it remains unclear what information the hackers were targeting, it is likely that this breach is about more than just stealing payment card information. In this case, the hackers were able to get a bounty of nonfinancial information, which can easily be combined with other information available on the black market to make it even easier for a bad actor to assume someone’s identity. Having this extra information can aid hackers in answering security questions that can enable access to password-protected accounts. The information can also be used to create more personalized and detailed phishing attacks, where a hacker sends an e-mail to a particular person that appears to be legitimate but is actually from a criminal attempting to gain access to information. By including highly personal and detailed information regarding travel dates and locations, phishing e-mails can be harder to detect.

Many experts reported that the data has not appeared to be for sale on the “dark web.” In general, when stolen data does not pop up on the dark web, it is a state actor obtaining the data for intelligence reasons.

The breach may have been ongoing for four years

Marriott said that an internal security tool found an attempt to access the guest reservation database on September 8, 2018. A further investigation then revealed that the hackers have had access to the Starwood database since 2014.

Adding another headache for Marriott is a smaller breach approximately three years ago. In 2015, Starwood reported a breach where attackers installed malware on point-of-sale systems in some hotels to gain payment card information. This breach was disclosed four days after Marriott announced the deal to acquire Starwood. Marriott has responded that the 2015 incident was not related to the current breach. But many experts in the field say that a more thorough investigation into the 2015 incident may have uncovered the hackers who continued to have access for three more years.

A class-action lawsuit was filed

A national class action law suit was filed alleging that Marriott failed to “properly safeguard consumers’ highly sensitive and confidential information.” The complaint does not disclose the amount sought in damages. 

Additionally, the United Kingdom’s data protection commissioner and attorneys general from several states, including Maryland, Massachusetts, New York, Pennsylvania and Texas have stated that they intend to look into the incident.  

There could be an impact on due diligence in deals

Because it appears as though the hackers had access to the Starwood guest reservation database before the 2016 merger with Marriott, many are questioning the cybersecurity due diligence. We have seen data breaches affecting large deals in the past, but typically a breach has been discovered prior to closing the deal. Here, however, Marriott contends it just learned of the breach this September, about two years after the $13.6 billion deal.

While Marriott does have cyber insurance, it will have to absorb the full financial (and reputational) impact from the breach, which could get expensive. In Europe, for example, under the General Data Protection Regulation (GDPR) companies can be fined up to 4% of global revenue.

Regulatory authorities and courts will also likely investigate whether Marriott was “reasonable” in its due diligence of Starwood’s cybersecurity systems and procedures. This could have far-reaching effects on cybersecurity diligence and make a complete review of a target’s cybersecurity regime become the norm.

What next?

Because of the variety of information accessed, individuals who believe their data may be compromised should immediately freeze their credit by contacting the three major credit bureaus. Marriott is also offering guests one free year of enrollment in WebWatcher, which monitors websites where personal information is shared and notifies a consumer if any of his or her personal information is found.

We can expect to keep hearing about this breach for a while.