Marriott/Starwood hack: Is your passport number in China?

Hotel hack reminds researchers, sources say

Recent revelations that Starwood’s huge reservation database was stolen have taken new significance.

Sources say it looks similar to other nation-state attacks from around the same time. Starwood is now owned by Marriott, which isn’t saying anything about these anonymous allegations.

But it once again highlights the fragile nature of the artifacts that define our digital identities. In this week’s ID Blogwatch, we sleep soundly in our beds.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: G teLkcuy


What’s the craic?
In case you’ve been living under a rock, take heed of Nicole Perlroth, Amie Tsang, Adam Satariano, Ron Lieber and Stacy Cowley:

The assault started as far back as 2014, and was one of the largest known thefts of personal records. [It’s] a reminder that after years of headline-grabbing attacks, the computer networks of big companies are still vulnerable.

The breach hit customers who made reservations for the … Starwood hotel brands from 2014 to September 2018. … The intrusion went unnoticed for four years by Starwood, which was acquired by Marriott in 2016. … Outside security experts … discovered that the hackers had grabbed a foothold in Starwood’s systems starting in 2014.

Names, addresses, phone numbers, birth dates, email addresses and encrypted credit card details … were stolen. The travel histories and passport numbers of a smaller group of guests were also taken.

Marriott said it had set up a dedicated website and call center. … The site was having problems staying online.

The hospitality industry has become a rich target for nation-state hackers looking to track the travel movements and preferences of heads of states, diplomats, chief executives and other people of interest to espionage agencies.


Nation-states such as?
Christopher Bing brings Clues in Marriott hack implicate China:

Hackers behind [the] massive breach … left clues suggesting they were working for a Chinese government intelligence gathering operation. … Private investigators looking into the breach have found hacking tools, techniques and procedures previously used in attacks attributed to Chinese hackers, said three sources.

Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood’s computer networks since 2014. … Marriott spokeswoman Connie Kim declined to comment, saying “We’ve got nothing to share.”

Former senior FBI official Robert Anderson [said it] looked similar to hacks that the Chinese government was conducting in 2014. … “Think of the depth of knowledge they could now have about travel habits or who happened to be in a certain city at the same time as another person. … It fits with how the Chinese intelligence services think about things. It’s all very long range.”


How did they get away with it for so long?
All aboard the Brian Krebs cycle: [You’re fired—Ed.]

The intruders encrypted information from the hacked database (likely to avoid detection by any data-loss prevention tools when removing the stolen information from the company’s network).

It’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015 [involving] malicious software installed on … payment systems that were not part of the its guest reservations or membership systems. … However, this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data.

The breach announced today is just the latest in a long string of intrusions involving credit card data stolen from major hotel chains over the past four years — with many chains experiencing multiple breaches: … Hyatt Hotels [twice] … Trump Hotel Collection [three times] … Kimpton Hotels … White Lodging [twice] … Mandarin Oriental … Hilton.


Many insecure hotels, you say?
Maren Hieret sees the irony:

I use cash as much as possible, but this is one of those things that gets reserved with a card. The rub is – I stayed at multiple [Marriott] properties this year to attend— Security Conferences……


But what’s all this about passport numbers?
Shaun Nichols has Identity stolen because of the Marriott breach? Come and claim your new passport:

Hotel-chain turned data faucet Marriott says it will help some customers cover the cost of replacing stolen documents. … Customers who fall victim to fraud as a result of forged passports will be eligible to claim a replacement passport at Marriott’s expense.

“As it relates to passports and potential fraud, we are setting up a process to work with our guests who believe that they have experienced fraud as a result of their passports being involved in this incident,” a spokesperson [spoke]. “If, through that process, we determine that fraud has taken place, then the company will reimburse guests for the costs associated with getting a new passport.”


Yes, but why keep it in the first place?
So wonders Nathan:

I get maintaining a DB of customer names, addresses, etc., but what is the business case for keeping customer passport numbers? … Perhaps we need laws that limit the storage of such important information — at least limits how long companies can store it.


And
Nick from Brooklyn agrees:

It should be unlawful for a company to permanently store this information. If businesses won’t take responsibility for protecting their customers data I say it’s time for legislation.

I’m tired of receiving emails from Facecook, credit agencies, Amazon, Target … that my information with them has been stolen. No punishment or fines. No accountability. Barely an apology.


Atlas shrugged?
Rima Regas prefers direct action to government intervention:

Nothing will change until we, individually and collectively, begin to punish irresponsible corporations for not keeping our data safe or trading in it. Nothing will change until we demand [it] from our elected representatives.

Enough already!


Meanwhile,
returning to the theme, maxbuzz dons the obligatory tinfoil hat:

The NSA and CIA have the tools to frame any nation for their cyber crimes. So how can we ever know who is responsible?


And Finally…

Get Lucky, but beats 2 and 4 are swapped

You have been reading ID Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or idbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: José Carlos Cortizo Pérez (cc:by)