This is not the first time that hotel chains have been affected by security breaches. However, this is seems to be bigger than the last time Marriott has been hit by it.
Marriott had just disclosed that the have had a large-scale data breach that could possibly impact up to 500 million customers who have stayed at a Starwood-branded hotel within the last four years. The details of the breach is still vague, but the only thing disclosed by Marriott states that: there was unauthorized access to a database tied to customer reservations stretching from 2014 to September 10, 2018.
Although some of the guests credit card numbers and expiry dates have been compromised, such data had been encrypted using the Advanced Encryption Standard (AES-128). The content of the breached information may contain a combination of the following: name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Below is Marriott’s statement:
A root cause of the breach is currently unknown, but Marriott indicated that the intruders encrypted the information before exfiltrating the data. Brian Krebs reported that Starwood reported its own breach in 2015, shortly after acquisition by Marriott. At the time, Starwood said that their breach timeline extended back one year, to roughly November 2014. Incomplete remediation of breaches is extremely common, and when compounded by asset management challenges introduced by mergers and acquisitions, seeing lateral movement and exfiltration after an initial hack is not unreasonable.
Starwood properties impacted are as follows:
- The Luxury Collection
- Four Points by Sheraton
- W Hotels
- St. Regis
- Le Méridien
- Tribute Portfolio
- Design Hotels
Are you a Starwood Hotel client? If yes, it is highly recommended that you change your password for your Starwood Preferred Guest Rewards Program ASAP. Make sure that the password is a more complex password that would have a combination of UPPERCASE and lowercase letters, including numbers and symbols if their system would allow it and should be at least 8 characters. It also would not hurt to be be extra cautious by monitoring your credit card if there would be any suspicious activity. If you feel your financial information has been compromised, talk to your bank or credit card company for a credit freeze.
In times like this, cyber criminals take advantage of the situation and will try everything they can to trick people via social engineering so you better be careful. If you receive an email stating it came from Marriott, be aware that it might not be from them and it would be safer to contact Marriott instead instead of responding via email. For all you know, it might be a phishing or luring attempt by cyber criminals.
So what does this teach us? Nothing is safe online. Since time immemorial, thieves have been out to steal stuff, and it has not changed even in the digital world it still happening.