Hackers lurked undetected on networks now owned by Marriott for 4 years

Marriott Hotels has learned the hard way from the saying that there are two types of businesses: Those that have been hacked and those that may not yet know they’ve been hacked.

For four years, Marriott Hotels fell in the latter category. Buried in Marriott’s announcement Friday that personal data of as many as 500 million guests was lost in the second largest consumer breach in U.S. history, the company said hackers first entered the guest reservation systems in 2014.

The hack remained undetected year after year.

“The sheer size and length of this breach is very unique,” said Yonatan Striem-Amit, chief technology officer at Cybereason, a cybersecurity firm in Boston. “The industry average talks about … 100 to 200 days between the moment of breach and the moment it is discovered.”

Also unique is the volume of information the hackers obtained through Marriott, one of the world’s biggest hotel chains with 1,200 properties under brands like Sheraton, Westin, St. Regis, W and Courtyard. The company said hackers obtained names, addresses, phone numbers, email addresses, passport numbers, birthdates, gender and other details on at least 327 million guests from the Starwood database. Marriott bought Starwood Hotels & Resorts in 2016.

Hackers also took credit card information and expiration dates for another undisclosed number of guests, Marriott said. While this information was partially encrypted, hackers may have taken data that would allow them to decrypt the payment data, it added.

The Marriott breach is surpassed in size only by the hack of 3 billion users of Yahoo in 2013 and 2014. In some ways, it more resembles the 2017 hack of Equifax, one of the largest U.S. credit bureaus, in which some 143 million consumers lost personal information.

Experts said cybercriminals may employ data gathered from the Marriott breach and cross-reference it with information from a host of other breaches, including from Equifax, to create more robust profiles of potential crime targets.

Among those likely to be affected are business travelers, they said. British Airways and Cathay Pacific airline disclosed breaches this year, and the hotel companies Radisson, Intercontinental and Japanese-owned Prince also suffered hacks.

“It’s people that have a higher net worth,” said Ryan Wilk, a vice president at NuData Security, a MasterCard company. “Business travelers are a little more affluent than the average.”

Data stolen from airline and hotel chains “contains a treasure trove of information that hackers can use to build sophisticated, comprehensive dossiers” on victims, added Rusty Carter, vice president of Arxan Technologies, a San Francisco-based company.

Criminals working with hackers could seek to track the travel plans of individuals.

“The burglary angle is also an important one to note. If I know where you live, which is captured in the billing address, and I know where you’re going to be and when, there is potential on that front,” Carter said.

Criminals rarely obtain passport data, and the loss of the data has implications not only for identity theft but also national security.

“They have right now enough data to go and apply for a replacement passport, due to ‘my passport being lost.’ They would have your Social Security number from past hacks,” Striem-Amit said.

The coming year might even see an uptick in criminal efforts to defraud the Internal Revenue Service, experts said, as hackers file fraudulent claims in the name of consumers.

“You file someone else’s taxes,” said Wilk. “You hope they are getting a nice big return. The true owner of the information is kind of out of luck.”

The breach drew new calls for regulation from Capitol Hill and an immediate class-action lawsuit against Marriott.

“This latest incident should strengthen Congress’ resolve,” said Sen. Mark Warner, vice chairman of the Senate intelligence committee. New data security laws should “ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

Two men, one from West Virginia and another from Illinois, filled the class-action suit in federal court in Maryland to recover damages caused by the breach.

Marriott said it received an internal alert on Sept. 8 regarding the Starwood guest reservation database, and conducted an internal probe. It didn’t explain the delay in informing consumers.

“Almost three months went by where they knew that half a billion people had their information stolen, including passport numbers, and they spent three months trying to figure out exactly what the press release should say,” said Brian Vecci of New York-based Varonis, a data protection and analytics company. “It’s mind boggling.”

“We need stronger consumer protections for exactly this kind of reason. Companies can’t wait months to disclose,” Vecci added.

Since Marriott is a global company, it could face financial penalties of up to 4 percent of its global annual revenue if found to be in breach of Europe’s stiff General Data Protection Regulation, or GDPR, that went into effect in May. GDPR requires companies to inform regulators of data breaches within 72 hours.

Marriott is only the latest in a drumbeat of breach announcements. Just this week Dell, a computer company in Round Rock, Texas, and Atrium Health of Charlotte, North Carolina, disclosed breaches. In Atrium’s case, 2.65 million people lost personal data, including in some cases Social Security numbers.

Tim Johnson, 202 383-6028, @timjohnson4