Marriott Mega-Breach: Victim Count Drops to 383 MillionHotel Giant Warns 5.3 Million Unencrypted Passport Numbers Also Stolen
Marriott International says its recently discovered mega-breach isn't quite as bad as first advertised, in terms of the total number of victims. But it also warns that hackers stole 5.25 million unencrypted passport numbers that its hotels were storing as well as 8.6 million encrypted payment cards.
On Nov. 30, 2018, Marriott said it had suffered a breach that began in 2014 with a breach of the reservation database used by Starwood Hotels & Resorts Worldwide, which Marriott acquired in September 2016 for $13 billion (see: Marriott's Mega-Breach: Many Concerns, But Few Answers).
Marriott originally estimated that the breach exposed information for 500 million customers. It also said that for 327 million customers, exposed information included their "name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ('SPG') account information, date of birth, gender, arrival and departure information, reservation date and communication preferences."
But on Friday, Marriott said that instead of its estimate of 500 million customers having had some form of personal information exposed, it now believes that 383 million is the "upper limit" of affected customers.
"We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database," it says in its revised data breach notification.
Marriott, which is publicly traded on NASDAQ and based in Bethesda, Maryland, owns or franchises more than 6,700 properties across 30 hotel brands located in 129 countries and territories.
Unencrypted Passport Data Stolen
Marriott also says that its breach investigation now counts 25.6 million passport numbers being exposed in the breach, of which 5.25 million were unencrypted. "There is no evidence that the unauthorized third party accessed the master encryption key needed to decrypt the encrypted passport numbers," Marriott says. But that doesn't mean that the attackers couldn't later brute-force decrypt the numbers.
Also exposed in the breach: approximately 8.6 million encrypted payment cards that were being stored by Marriott. If attackers were able to decrypt the card data, they could have been using the stolen card data since 2014 to commit fraud.
By the time that the breach was discovered in late 2018, however, Marriott says many of the payment cards had already expired. Indeed, only about 354,000 were still active as of September 2018, it says. As with the passport data, "there is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers," Marriott says.
The hotel chain has signaled that its investigation, which began after it confirmed on Nov. 19, 2018, that the Starwood reservation system had been breached, has now nearly concluded.
"As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers' concerns and meet the standard of excellence our customers deserve and expect from Marriott," Arne Sorenson, Marriott's president and CEO, says in a statement.
It isn't unusual for breached organizations to revise their assessment of how many customers or records were impacted by a breach, as their investigation continues (see: Data Breach Notifications: What's Optimal Timing?).
The FBI is leading the U.S. law enforcement investigation into the Marriott breach, which continues.
Multiple state attorneys general have also launched investigations into the breach, and European privacy regulators have said they're also probing the incident (see: Marriott Mega-Breach: Will GDPR Apply?).
Marriott, meanwhile, does not appear to have been unprepared for the possibility of a data breach. In an 8-K filing with the U.S. Securities and Exchange Commission on Nov. 30, Marriott noted: "The company carries insurance, including cyber insurance, commensurate with its size and the nature of its operations. The company is working with its insurance carriers to assess coverage."
Email and Self-Service Notification
Marriott says it's emailing all affected customers for which is has an email address on file. "Please note that the email you may receive from us will not contain any attachments or request any information from you, and any links will only bring you back to this webpage," it says, adding that all of its communications will list "firstname.lastname@example.org" as the sender.
Customers who want to know if their personal details - including passport numbers - were exposed can also contact Marriott's call center or visit Marriott's data breach notification website. Marriott says that full information about exposed passport numbers has not yet been added to the site, but soon will be.
The hotel company has set up dedicated data breach call centers for 55 countries and regions, ranging from Argentina, Australia and Austria to the U.K., U.S. and Vietnam.
It is also offering one year of prepaid identity theft monitoring services to breach victims in 13 countries and regions. Such services may help customers whose personal details get stolen and used for fraud to try and fix the damage, although they do not compensate victims for their effort or lost time (see: Congratulations: You Get 'Free' Identity Theft Monitoring).
"Where available in your country/region, Marriott is offering affected guests the opportunity to enroll in a personal information monitoring service free of charge for one year," Marriott says. "This will be provided by Experian, a global data and information service provider. This service (IdentityWorks Global Internet Surveillance) is available to residents of Australia, Brazil, Germany, Hong Kong SAR China, India, Ireland, Italy, Mexico, New Zealand, Poland, Singapore, Spain and the Netherlands. (Experian does not currently offer this service in all countries or regions.)"
Following Marriott's warning that its breach exposed customers' passport data, the company faced calls to cover passport-replacement costs for all breach victims. The company has declined to do so, unless victims can prove that they suffered fraud as a result of Starwood or Marriott mishandling their passport number.
"The website lists phone numbers to reach the company's dedicated call center and includes information about the process to be followed if guests believe that they have experienced fraud as a result of their passport numbers being involved in this incident," Marriott says (see: After Mega-Breach, Marriott May Pay for New Passports).
One of the most active U.S. lawmakers on data privacy and protection, Sen. Mark Warner, D-Virginia, says the breach highlights a failure by many organizations to minimize the amount of data they routinely store on consumers, and he has slammed the company in particular for mishandling passport numbers.
"It's unacceptable that Marriott was retaining sensitive data like passport numbers for so long, and it's unconscionable that it kept this data unencrypted," said Warner, who co-chairs the Senate Cybersecurity Caucus, the Wall Street Journal reported.
The Marriott breach has renewed calls by some members of Congress for the country to pass strong privacy legislation. Bills from Sen. Brian Schatz, D-Hawaii, and Sen. Joe Kennedy, R-La., are among the legislation that Congress is expected to consider this year, The Hill reports.
Marriott Retires Starwood Reservation System
Two years after it acquired Starwood, meanwhile, Marriott reports that as of Dec. 31, 2018, Starwood-branded hotels are no longer using the Starwood reservation system. "With the completion of the reservation systems conversion undertaken as part of the company's post-merger integration work, all reservations are now running through the Marriott system," it says.
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Investigators Eye China
Last month, The New York Times, Reuters and Washington Post, all citing anonymous sources with knowledge of Marriott's investigation, reported that U.S. officials have been eying hackers working from China as culprits. The Times, in particular, reported that investigators had found "computer code and patterns familiar to operations by Chinese actors" that suggested they might be connected to China's Ministry of State Security, a civilian intelligence agency (see: Gartner's Avivah Litan on Impact of Marriott Breach).
U.S. Secretary of State Mike Pompeo, in an interview on Fox, also appeared to suggest that officials believed China might be behind the attack.
Chinese government officials, however, have denied that anyone from their country was involved (see: Reports: China Suspected in Marriott Database Breach).