Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.
Marriott said the breach
involved unauthorized access to a database containing guest information tied to
reservations made at Starwood properties on or before Sept. 10, 2018, and that
its ongoing investigation suggests the perpetrators had been inside the company’s
networks since 2014.
Marriott said the intruders
encrypted information from the hacked database (likely to avoid detection by
any data-loss prevention tools when removing the stolen information from the
company’s network), and that its efforts to decrypt that data set was not yet
complete. But so far the hotel network believes that the encrypted data cache
includes information on up to approximately 500 million guests who made a
reservation at a Starwood property.
“For approximately 327 million
of these guests, the information includes some combination of name, mailing
address, phone number, email address, passport number, Starwood Preferred Guest
account information, date of birth, gender, arrival and departure information,
reservation date and communication preferences,” Marriott said in a statement released early Friday morning.
Marriott
added that customer payment card data was protected by encryption technology,
but that the company couldn’t rule out the possibility the attackers had also
made off with the encryption keys needed to decrypt the data.
The hotel chain did not say
precisely when in 2014 the breach was thought to have begun, but it’s worth
noting that Starwood disclosed its own breach involving more than 50
properties in November 2015, just days after being acquired by Marriott.
According to Starwood’s disclosure at the time, that earlier breach stretched
back at least one year — to November 2014.
Back in 2015, Starwood said the
intrusion involved malicious software installed on cash registers at some of
its resort restaurants, gift shops and other payment systems that were not part
of the its guest reservations or membership systems.
However, this would hardly be
the first time a breach at a major hotel chain ballooned from one limited to
restaurants and gift shops into a full-blown intrusion involving guest
reservation data. In Dec. 2016, KrebsOnSecurity broke the news that
banks were detecting a pattern of fraudulent transactions on credit cards that
had one thing in common: They’d all been used during a short window of time at InterContinental Hotels Group (IHG)
properties, including Holiday Inns and other popular chains across
the United States.
It took IHG more than a month to confirm that finding, but the company
said in a statement at the time it believed the intrusion was limited to
malware installed at point of sale systems at restaurants and bars of 12
IHG-managed properties between August and December 2016.
In April 2017, IHG acknowledged that its investigation showed cash
registers at more than 1,000 of its properties were compromised with malicious
software designed to siphon customer debit and credit card data — including
those used at front desks in certain IHG properties.Marriott
says its own network does not appear to have been affected by this four-year
data breach, and that the investigation only identified unauthorized access to
the separate Starwood network.
Starwood
hotel brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin
Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection,
Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton
and Design Hotels that participate in the Starwood Preferred Guest (SPG) program.
Marriott is offering affected
guests in the United States, Canada and the United Kingdom a free year’s worth of service from WebWatcher, one of
several companies that advertise the ability to monitor the cybercrime
underground for signs that the customer’s personal information is being traded
or sold.
The breach announced today is
just the latest in a long string of intrusions involving credit card data
stolen from major hotel chains over the past four years — with many chains
experiencing multiple breaches. In October 2017, Hyatt Hotels suffered its second card breach in as many years. In July
2017, the
Trump Hotel Collection was hit by its third card breach in two years.
This is a developing story, and will be updated with analysis
soon.
Best Regards ,
Web Admin
LATVIK SECURE
LATVIK TECHNOLOGIES ™
No comments:
Post a Comment