What the Marriott Data Breach Means for Individuals, the U.S. and Companies Worldwide



Daniela Perez
ACFE Staff

The business sector tops the Identity Theft Resource Center’s industry facing the most data breaches for the sixth consecutive month. This time, it’s because of the massive Marriott International and Starwood Hotels and Resorts data breach that affected more than 500 million customers.

The hotel chain found that since 2014, an undetected hacker had unauthorized access to names, emails and in 327 million peoples’ cases, passport numbers. Marriott became aware of the hack in early September and announced it mid-November.

U.S. intelligence agencies suspect China’s involvement since the attack “fits the pattern” of Chinese state-sponsored cyberattacks. This year points to a disturbing new trend within American corporations and showcases their vulnerabilities to sophisticated cyberattacks. The Marriott data breach indicates that foreign countries have mastered methods needed to easily penetrate databases containing sensitive information.

A preventable violation
The hackers breached Starwood’s system two years before Marriott’’s acquisition. In 2016, Marriott could have caught the problem during their acquisition of Starwood, yet the hackers evaded several audits conducted during their merger.

Marriott and its security team failed to protect sensitive data entrusted to them by customers. Four years of “dwell time” allowed for hackers to steal more than just typical information acquired in corporate breaches. These hackers collected unique information such as credit cards, and hotel arrival and departure dates.

Marriott has begun working with customers who believe their stolen passport numbers led to fraud. However, Marriott emphasized that clients had to prove the data breach directly resulted in fraud. If customers could, Marriott would pay for a new passport.

Hackers can use stolen passport numbers to track a person’s international movements and discover their appearance. Yet, passport numbers cannot be used to obtain personal records, acquire a new passport or travel.

Despite the half a billion people affected, this data has not been found on the dark web. According to Recorded Future, a security firm, and Coalition, an insurance company, the hackers aren’t interested in selling the information taken from the hotel chain. Instead, it’s consistent with a foreign actor using this data for intelligence purposes.

This data can be used to create targeted email campaigns to government officials whose information were disclosed in the attacks. Most shocking, however, hackers can now create a database in conjunction with previous cyberattacks.

Names, birthday and travel information will allow hackers to connect people across attacks and find their connections to international intelligent agents. As a result, hackers will get closer and closer to their intended target.                

International repercussions
According to John M. Simpson, project director at Consumer Watchdog, companies would rather have inadequate data security because not having these protections is cheaper than the consequences of a data breach.

Governments across the world have realized the severity of these breaches and have begun protecting their citizens. The European General Data Protection Regulation, which took effect in May 2018, protects all EU citizens from data breaches that compromises their personal data. Corporations that fail to comply with the GDPR could face a fine that takes away 4% of their global turnover.

It is still unclear what sort of ramifications Marriott will face from the GDPR, but they could be the first company to face the hefty 4% fine imposed.

In the U.S., California has a similar law to the GDPR. The California Consumer Privacy Act (CCPA) gives Californians the right to know what personal information is collected from them and if it is sold. However, the law takes effect in 2020, leaving Marriott off the hook.

Looking forward
Though there is no conclusion about who orchestrated this attack, the hackers showed consistencies and familiar patterns used in previous Chinese cyberattacks. These findings come at the heels of U.S. President Donald Trump planning action against China’s trade, cyber and economic policies. This includes indicting Chinese hackers who work for intelligence agencies to harbor American intelligence.

President Trump also plans to declassify documents that show how Chinese hackers have built a complex database. Since 2014, they have created a database that contains the names of executives and American government officials with security clearances.

However, the damage has been done, and has affected 500 million people. In 2017, the hospitality industry constituted 92% of all point-in-scale intrusions. In a data-driven society, hotel companies like Marriott must prioritize data security to ensure loyalty from customers and a successful, trustworthy business.