Last week it was made public that the hotel chain Marriott had faced a devastating data breach, with the guest reservation database of its Starwood branded division had been compromised, effecting up to 500 Million users.

Marriott says it “reported this incident to law enforcement and continues to support their investigation” and simply added that it had “already begun notifying regulatory authorities”, but many people see their security measures and response time to this incident to be unacceptable, with lawsuits being filed against the company just hours after their announcement on Friday.

 

Marriot

 

 

The Database

The database in question contained information on up to 500 million customers, with 'some combination' of the following details:

  • Name
  • Address
  • Phone Number
  • Email Address
  • Passport Number
  • Account Information
  • Date of Birth
  • Gender
  • Arrival & Departure Info

 

How Did This Happen?

In early September this year, Marriott were alerted by an internal security system that there had been attempted unauthorised access to the Starwood guest reservation database. After this discovery, Marriott consulted with security experts who found that the unauthorised user had access to the system since 2014, even giving them time to copy and encrypt all of the desired information, and had taken steps towards removing this data when they were discovered.

It's unclear how the attacker initially gained access to the Starwood database - some have speculated that the merge between Starwood and Marriott may have led to a vulnerability in the network, however this deal was only closed in 2016, meaning the unauthorised party already had access. But, even without knowing how this all started, it is clear that security mishaps on Marriott's part have added fuel to the fire.

Talking to WIRED, breach response experts stated that the amount of time the attacker had within the hotel systems 'likely made the breach much worse than it otherwise might have been'. In this case, the database contained encrypted payment card information, which would usually be sufficient defensive measures, but with enough time an attacker could gain enough access to steal the decryption keys too - a possibility that has not been ruled out so far.

 

Backlash

Although Marriott seem to be showing transparency now, even taking further steps to create a dedicated website and call centre to help affected customers, many people are still questioning the response time to this attack. Not only was the malicious access on-going for so long, but the company was initially alerted to this fact in September - that's a whole 2 months before Marriott were able to decrypt the information found and begin contacting customers. This delay could not only gain Marriott heavy amounts of criticism, but could also effect them financially as - under the rules of GDPR - breaches of this kind should be reported within 72 hours.

Although there have been no updates yet on what GDPR fines the hotel chain will face, they have already been faced with 2 different lawsuits - one of these specifically seeking $12.5 billion in damages, which equates to $25 for each of the 500 million affected users. Both of these cases are seeking class-action status.

 

Advice for Customers

  • Change Your Password

This tip may seem obvious, but what many users overlook is that if they use the same password for multiple websites or accounts then these should all be changed too.

 

  • Monitor Accounts for Suspicious Activity

Again, this doesn't only apply to accounts directly linked to Marriott - any accounts using the same log-in credentials or payment card should be checked for suspicious activity.

 

  • Protect Future Credit Cards

When using your card details online in the future, try not to save your details to the website, instead entering them manually each time. Other advice from security experts includes opening a separate credit or debit card for only online shopping, making it much easier to monitor fraudulent activity.