Obama was president of the United States, Apple introduced its first watch, Russia invaded Crimea, and the San Francisco Giants won the World Series. The year was 2014, and from then until November 2018, hackers have been stealing data from computers controlled by Starwood Hotels and Resorts (now owned by Marriott Hotels).
All told, records belonging to as many as 500 million guests were stolen, the company said in a statement November 30.
Over those four years, Marriott said, hackers had unfettered access to guest records such as names, mailing addresses, email addresses, and unspecified “limited information.” Regarding 327 million of the affected hotel guests, they also stole “some combination” of phone number, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
READ MORE ON DATA BREACHES
How to tell you’re part of the 30 million user Facebook breach
Facebook was breached. Here’s what we know (and don’t)
How to recover from a health care data breach
Want to stop data breaches? Make companies accountable
How to deal with Equifax and our ‘broken’ credit protection system
So you’re caught in a data breach. Now what?
An unspecified number of those records also included credit card numbers and expiration dates. While Marriott says the payment information was encrypted, the company admits that at this time, it cannot guarantee that the codes to decrypt payment information were not also taken.
Guests of at least a dozen hotel chains are affected, stretching across some of world’s best-known hotel chains: Marriott, Westin, Sheraton, The Luxury Collection, Four Points by Sheraton, W Hotels, St. Regis, Le Méridien, Aloft, Element, Tribute Portfolio, and Design Hotels. The company said it is working with law enforcement officials and “leading security experts,” and that it has started to email affected guests.
More than a dozen Marriott and Starwood guests who spoke with The Parallax said they have not yet received email notifications about the breach. A company representative said in a statement to The Parallax that Marriott is sending notifications “on a rolling basis.”
“Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,” the company said in its statement.
“Marriott must personally notify customers under the greatest security risk immediately, and then foot the bill for those folks to acquire a new passport and number, should they request it.”—Sen. Chuck Schumer (D-N.Y.)
According to the statement, a Marriott computer security tool notified the company that there was an attempt to access the Starwood guest reservation database on September 8, and a subsequent investigation uncovered the scope of the breach. On November 19, the company discovered that the breach involved guest data, it said.
Many questions remain about how the breach went unnoticed for so long, as well as how vigilant consumers and corporations whose data was involved in the breach need to be. For example, anyone who made an online reservation at a Starwood property between 2014 and 2018—even those who are not members of the Starwood Preferred Guest program—might be affected.
Marriott is already facing at least one lawsuit over the data breach, and Sen. Chuck Schumer (D-N.Y.) has demanded that the hotelier pay for affected consumers to replace their passports. The Department of State charges adults $110 to replace a lost or stolen passport, which includes changing passport numbers.
Schumer warned that “the clock is ticking” against Marriott breach victims because passport numbers, when combined with other personal information, could make victims of the Marriott breach “more vulnerable” than other data breach victims.
“That is why Marriott must personally notify customers under the greatest security risk immediately, and then foot the bill for those folks to acquire a new passport and number, should they request it,” Schumer said in a statement emailed to The Parallax.
A Marriott representative said in an email that the company will reimburse victims for the cost of a new passport only if the company determines that identity theft occurred because of this data breach.
That runs contrary to recommendations from the Identity Theft Resource Center, which says on its website that consumers who are concerned about whether their passport numbers were part of the breach replace them immediately. Marriott’s representative said the company has not yet determined whose passport numbers were stolen.
Attempts to register for the free credit and identity theft monitoring service Marriott is offering affected consumers were met with error messages on Friday and Monday. The company has not released any information about who might be behind the data theft, nor is it clear whether this breach is related to a previous Starwood breach disclosed in 2015.
Adam Kujawa, the director of Malwarebytes Labs, says finding out who the hackers behind the breach are could take years because Internet tools like VPNs, the Tor Project, and proxies “make it easy” for people to hide their identity online.
“Hopefully during this four-year infestation, one of the hackers logged on from a non-secured system,” he says, and eventually can be traced. “These guys set up shop, make a home, and they can get in and out of the network.”