[BreachExchange] China blamed for Marriott data breach

[Destry Winant]

https://www.zdnet.com/article/china-blamed-for-marriott-data-breach/

A Chinese cyberespionage campaign was behind a devastating data breach
affecting millions of Marriott guests, reports suggest.

The data breach, revealed last month, involved the personal
information of 500 million customers.

Data including guest names, mailing addresses, phone numbers, passport
numbers, dates of birth, and Starwood Preferred Guest ("SPG") account
information, as well as payment card data -- in some cases -- was
stolen.

Access had been gained to the Starwood guest reservation database back
in 2014 but was only uncovered in November this year. Starwood was
acquired by Marriott in 2016.

According to the New York Times, the threat actors behind the
intrusion may be linked to China's Ministry of State Security, a
department responsible for intelligence gathering.

The US Department of Justice (DoJ) recently convicted 10 Chinese
nationals charged as Ministry of State Security operatives tasked with
hacking both US and European companies for the purpose of intellectual
property and confidential data theft.

Two officials briefed on the matter said the hackers responsible for
the Marriott data breach have also been connected to cyberattacks
launched against health insurers and the theft of US security
clearance files. The other organizations involved have not been named.

A spokesperson for the Ministry of Foreign Affairs denied these claims
as well as any knowledge of how the Marriott cyberattack took place,
or why.

"If offered evidence, the relevant Chinese departments will carry out
investigations according to the law," the spokesperson added.

A Marriott spokeswoman said the company has not speculated when it
comes to the identity of the threat actors.

The report has emerged at a time when the relationship between the US
and China is strained over trade deals and tariffs. The NYT reports
that the DoJ is set to announce a fresh set of indictments against
Chinese cyberattackers linked to cyberespionage in the near future.

Only hours after the reveal of the data breach, Marriott became the
subject of a class-action lawsuit seeking $12.5 billion in damages on
behalf of those affected. This may sound like a vast amount but only
equates to $25 per customer.

Marriott does, however, intend to reimburse some customers. A company
spokesperson said that Marriott will foot the bill for new passports
in cases where victims can prove the use of stolen passport numbers in
fraudulent activities permitted by the data breach.

Marriott CEO Arne Sorenson has apologized to the firm's customers,
saying that the hotel chain "fell short of what our guests deserve and
what we expect of ourselves."