Espionage, ID theft? Myriad risks from stolen Marriott data

Espionage, ID theft? Myriad risks from stolen Marriott data

Hackers stole data on as many as 500 million guests of former Starwood properties over four years.

By Michelle Chapman, Mae Anderson and Frank Bajak

Associated Press

NEW YORK — The data stolen from the Marriott hotel empire in a massive breach is so rich and specific it could be used for espionage, identity theft, reputational attacks and even home burglaries, security experts say.

Hackers stole data on as many as 500 million guests of former Starwood chain properties over four years including credit card and passport numbers, birthdates, phone numbers and hotel arrival and departure dates.

It is one of the biggest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.

But the target here — hotels where high-stakes business deals, romantic trysts and espionage are daily currency — makes the data gathered especially sensitive.

The affected reservation system could be extremely enticing to nation-state spies interested in the travels of military and senior government officials, said Jesse Varsalone, a University of Maryland cybersecurity expert.

“There are just so many things you can extrapolate from people staying at hotels,” he said.

And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn’t be home, said Scott Grissom of LegalShield, a provider of legal services.

The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.

Email notifications for those who may have been affected begin rolling out Friday and the full scope of the breach was not immediately clear.

Marriott was trying to determine if the purloined records included duplicates, such as a single person staying multiple times.

Security analysts were especially alarmed to learn of the breach’s undetected longevity. Marriott said it first detected until Sept. 8 but was unable to determine until last week what data had possibly been exposed — because the thieves used encryption to remove it in order to avoid detection.

Marriott said it did not yet know how many credit card numbers might have been stolen. A spokeswoman said Saturday that it was not yet able to respond to questions such as whether the intrusion and data theft was committed by a single or multiple groups.

Cybersecurity expert Andrei Barysevich of Recorded Future said Saturday he believed the breach was financially motivated.

A cybercrime gang expert in credit card theft such as the eastern European group known as Fin7 could be a suspect, he said, noting that a dark web credit card vendor recently announced that 2.6 million cards stolen from an unnamed hotel chain would soon be available to the online criminal underworld.

“We will have to wait until an official forensic report, although, Marriott may never share their findings openly,” he said.

Marriott said the stolen credit card information was encrypted but the hackers may have obtained the “two components needed to decrypt the payment card numbers.” It said it cannot “rule out the possibility that both were taken.”

For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.

The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.

Marriott set up a website and call center for customers who believe they are at risk.

The FBI would not say whether it is investigating, but said in a statement that anyone contacted by Marriott should “take steps to monitor and safeguard their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.”

Passport numbers have previously been part of a hack, though it’s not common. They were among records on 9.4 million passengers of Hong Kong-based airline Cathay Pacific obtained in a breach announced in October.

Combined with names, addresses and other personal information, passport numbers are a greater concern than stolen credit card numbers because thieves could use them to open fraudulent accounts, said analyst Ted Rossman of CreditCards.com.

The data purloining highlights just how dangerous hotels can be for people worried about their privacy.

“Hotels have long been important government sources of local information for tracking foreigners: reservation systems and loyalty programs took the surveillance global and made it easier for us to give up our privacy,” said Colin Bastable, CEO of Lucy Security.

Intelligence agencies including the U.S. National Security are well plugged into the global travel industry “by fair means or foul,” he said, non-government cybercriminals now have the same hacking tools.

“Consumers have become collateral damage,” he said. “And we are all consumers.” He advises providing hotels with as little information as possible when making reservations and checking in.

Last year, the cybersecurity firm FireEye highlighted an effort in which Russian state agents allegedly tried to infiltrate the reservation systems of hotels in Europe and the Middle East.

When its acquisition by Marriot was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it was too early to say what financial impact the breach might have on the company. It said it has cyber insurance and is working with its carriers to assess coverage.

Elected officials were quick to call for action.

The New York attorney general opened an investigation.

Virginia Sen. Mark Warner said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers “shoulder the burden and harms resulting from these lapses.”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Nation-World

FILE - Britain's Queen Elizabeth II looks on during a visit to officially open the new building at Thames Hospice, Maidenhead, England July 15, 2022. Buckingham Palace says Queen Elizabeth II is under medical supervision as doctors are “concerned for Her Majesty’s health.” The announcement comes a day after the 96-year-old monarch canceled a meeting of her Privy Council and was told to rest. (Kirsty O'Connor/Pool Photo via AP, File)
Queen Elizabeth II dead at 96 after 70 years on the throne

Britain’s longest-reigning monarch and a rock of stability across much of a turbulent century died Thursday.

A woman reacts as she prepares to leave an area for relatives of the passengers aboard China Eastern's flight MU5735 at the Guangzhou Baiyun International Airport, Tuesday, March 22, 2022, in Guangzhou. No survivors have been found as rescuers on Tuesday searched the scattered wreckage of a China Eastern plane carrying 132 people that crashed a day earlier on a wooded mountainside in China's worst air disaster in more than a decade. (AP Photo/Ng Han Guan)
No survivors found in crash of Boeing 737 in China

What caused the plane to drop out of the sky shortly before it was to being its descent remained a mystery.

In this photo taken by mobile phone released by Xinhua News Agency, a piece of wreckage of the China Eastern's flight MU5735 are seen after it crashed on the mountain in Tengxian County, south China's Guangxi Zhuang Autonomous Region on Monday, March 21, 2022. A China Eastern Boeing 737-800 with 132 people on board crashed in a remote mountainous area of southern China on Monday, officials said, setting off a forest fire visible from space in the country's worst air disaster in nearly a decade. (Xinhua via AP)
Boeing 737 crashes in southern China with 132 aboard

More than 15 hours after communication was lost with the plane, there was still no word of survivors.

Former Rep. Matt Gaetz, R-Fla., center, arrives at the U.S. Capitol in Washington D.C. with Sen. JD Vance, R-Ohio, right, the vice president-elect, on Wednesday morning. Gaetz withdrew from consideration Thursday, saying he was an unfair distraction to the transition. (Haiyun Jiang / The New York Times)
Matt Gaetz withdraws from consideration as attorney general

“It is clear that my confirmation was unfairly becoming a distraction,” Gaetz wrote Thursday on X.

Attendees react after Fox News called the presidential race for Former President Donald Trump, during an election night event at the Palm Beach County Convention Center in West Palm Beach, Fla., on Wednesday. Trump made gains in every corner of the country and with nearly every demographic group. (Haiyun Jiang / The New York Times)
Donald Trump returns to power, ushering in new era of uncertainty

Despite criminal convictions and fears of authoritarianism, Trump rode frustrations over the economy and immigration.

Voters cast their ballots at a polling place inside the Weisman Art Museum at the University of Minnesota in Minneapolis on Election Day, Tuesday, Nov. 5 2024. Voters headed into polling stations on Tuesday in the closing hours of a presidential contest that both major parties said would take the country in dramatically different directions, capping a contentious and exhausting 107-day sprint that began when President Joe Biden abandoned his bid for a second term. (Caroline Yang/The New York Times)
Live updates: Georgia called for Trump

The Daily Herald will be providing live updates on national election developments throughout Tuesday.

Liam Payne performs during the Jingle Ball at Madison Square Garden in New York in 2017. Payne, who rose to fame as a singer and songwriter for the British group One Direction, one of the best-selling boy bands of all time, died after falling from the third floor of a hotel in Buenos Aires on Wednesday. He was 31. (Chad Batka / The New York Times)
Liam Payne, 31, former One Direction singer, dies in fall in Argentina

Payne rose to fame as a member of one of the bestselling boy bands of all time before embarking upon a solo career.

In this photo taken from video provided by the Ukrainian Presidential Press Office, Ukrainian President Volodymyr Zelenskyy speaks to the nation in Kyiv, Ukraine, Sunday, Feb. 27, 2022. Street fighting broke out in Ukraine's second-largest city Sunday and Russian troops put increasing pressure on strategic ports in the country's south following a wave of attacks on airfields and fuel facilities elsewhere that appeared to mark a new phase of Russia's invasion. (Ukrainian Presidential Press Office via AP)
Ukraine wants EU membership, but accession often takes years

President Volodymyr Zelenskyy’s request has enthusiastic support from several member states.

FILE - Ukrainian servicemen walk by fragments of a downed aircraft, in in Kyiv, Ukraine, Friday, Feb. 25, 2022. The International Criminal Court's prosecutor has put combatants and their commanders on notice that he is monitoring Russia's invasion of Ukraine and has jurisdiction to prosecute war crimes and crimes against humanity. But, at the same time, Prosecutor Karim Khan acknowledges that he cannot investigate the crime of aggression. (AP Photo/Oleksandr Ratushniak, File)
ICC prosecutor to open probe into war crimes in Ukraine

U.N. human rights chief Michelle Bachelet confirmed that 102 civilians have been killed.

FILE - Refugees fleeing conflict from neighboring Ukraine arrive to Zahony, Hungary, Sunday, Feb. 27, 2022. As hundreds of thousands of Ukrainians seek refuge in neighboring countries, cradling children in one arm and clutching belongings in the other, leaders in Poland, Hungary, Bulgaria, Moldova and Romania are offering a hearty welcome. (AP Photo/Anna Szilagyi, File)
Europe welcomes Ukrainian refugees — others, less so

It is a stark difference from treatment given to migrants and refugees from the Middle East and Africa.

Afghan evacuees disembark the plane and board a bus after landing at Skopje International Airport, North Macedonia, on Wednesday, Sept. 15, 2021. North Macedonia has hosted another group of 44 Afghan evacuees on Wednesday where they will be sheltered temporarily till their transfer to final destinations. (AP Photo/Boris Grdanoski)
‘They are safe here.’ Snohomish County welcomes hundreds of Afghans

The county’s welcoming center has been a hub of services and assistance for migrants fleeing Afghanistan since October.

FILE - In this April 15, 2019, file photo, a vendor makes change for a marijuana customer at a cannabis marketplace in Los Angeles. An unwelcome trend is emerging in California, as the nation's most populous state enters its fifth year of broad legal marijuana sales. Industry experts say a growing number of license holders are secretly operating in the illegal market — working both sides of the economy to make ends meet. (AP Photo/Richard Vogel, File)
In California pot market, a hazy line between legal and not

Industry insiders say the practice of working simultaneously in the legal and illicit markets is a financial reality.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.