The Data Breach Hits Marriott Hotels Group Exposes 5 Million Guest Details

Late last year, we have featured here in Hackercombat.com the story about Marriot International Hotel chain data breach and the resulting accusation against China allegedly being the one behind the attack, which Beijing denied. Seems like the story continues to thicken, as the hotel chain’s leadership itself admitted that around 5 million passport records have been involved in the breach of 2018 as well. The company’s executives initially believe that the Starwood reservation system was not included in the data breach as earlier reported, however, upon close inspection duplicate entries on the records exists in the breached system. These duplicate records caused an estimated 5 million passport numbers being included in the breach as well.

Chinese government highly denies the accusation, stating that Beijing will carry-out internal investigation transparently if Marriott can provide reasonable suspicion. “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law. If offered evidence, the relevant Chinese departments will carry out investigations according to the law,” explained Geng Shuang, Spokesperson of Ministry of Foreign Affairs, China.

Although 5 million stolen passport numbers is a drop in the bucket compared to the 500 million user records (around 383 million unique records, the rest are duplicates) that got stolen overall in Marriott hotel chains late last year, it is still very critical issue. Passport numbers are unique, with it alone an individual can be tracked down. This includes VIP passport holders like government officials, diplomatic officials and military personalities which requires privacy preservation by default.

Aside from the passport numbers, it is also assumed that the 354,000 active card information which were digitally stored in the same Starwood reservation system were also compromised. Fortunately, compared to the passport numbers, the debit/credit card details that were allegedly hacked were stored in encrypted form in the reservation system database. Still, Marriott hotel chain’s security breach was the record largest last year, brought by Starwood’s vulnerabilities, the very product it acquired for $13 billion in 2016.

As of this time, there is still no known case of an identity theft that is directly associated with the Marriott hotel data breach. It may not end well for those that lost their passport numbers, as the Starwood reservation system unfortunately stores user’s passport information in unencrypted form. This will increase the likelihood that identity theft cases are imminent to happen, victims are advised to always monitor their bank account statements and other financial instruments to be on the safe side.

The hotel chain has announced that it has fully decommissioned the use of Starwood Reservation System with their in-house reservation project, hence the possibility of the repeat of the same incident is now minimized.