[BreachExchange] Marriott: Hackers accessed more than 5 million passport numbers during November’s massive data breach

Mon Jan 7 09:45:33 EST 2019

https://www.washingtonpost.com/technology/2019/01/04/marriott-hackers-accessed-more-than-million-passport-numbers-during-novembers-massive-data-breach/

Marriott International, the world’s largest hotel company, said Friday that
millions of passport numbers were accessed in a data breach that was first
announced in November.

Marriott revealed for the first time, in a statement posted online
<http://news.marriott.com/2019/01/marriott-provides-update-on-starwood-database-security-incident/>,
that hackers accessed approximately 5.25 million unencrypted passport
numbers. The attack resulted in an additional 20.3 million encrypted
passport numbers being swiped, but there is no evidence that the hackers
were able to decrypt the data, the statement said.

Translated into another code, only available to those with access to a
digital key, encrypted data is harder for hackers to obtain and considered
more protected, according to experts.

Marriott also said that the breach affected an estimated 383 million
“unique guests,” down from the original estimate of 500 million given when
the company said in November that its Starwood guest reservations database
had been penetrated by hackers.

The Bethesda-based hotel chain said it updated its figures following the
work of a “forensics and analytics investigation team.”

“We want to provide our customers and partners with updates based on our
ongoing work to address this incident as we try to understand as much as we
possibly can about what happened,” said Arne Sorenson, Marriott’s president
and chief executive, according to the company’s statement. “As we near the
end of the cyber forensics and data analytics work, we will continue to
work hard to address our customers’ concerns and meet the standard of
excellence our customers deserve and expect from Marriott.”

Despite a decrease in the estimated number of affected customers, the
Marriott breach remains among the largest data heist in history, according
to the Associated Press
<https://www.apnews.com/2e2f9aad21fc4fdd87b7852e5db2327f>. The data of more
than 140 million Americans was exposed when Equifax was hacked in 2017
<https://www.washingtonpost.com/business/technology/equifax-hack-hits-credit-histories-of-up-to-143-million-americans/2017/09/07/a4ae6f82-941a-11e7-b9bc-b2f7903bab0d_story.html?utm_term=.6c857da883eb>,
and 40 million customers had their credit card information stolen from
Target by hackers in 2013
<https://www.washingtonpost.com/local/public-safety/hacker-linked-to-target-data-breach-gets-14-years-in-prison/2018/09/21/839fd6b0-bd17-11e8-b7d2-0773aa1e33da_story.html?utm_term=.a3abf2ea1cb8>
.

The compromised passport numbers represent a fraction of the total data
stolen by hackers, according to the company’s latest figures.

As Hamza Shaban reported in November
<https://www.washingtonpost.com/technology/2018/11/30/what-you-should-do-after-marriott-data-breach/?utm_term=.6e2fde113013>,
the hackers — who gained access to Marriott records Nov. 19 — were able to
access names, addresses, phone numbers and email addresses, as well as
loyalty program account information, dates of birth, gender and reservation
information.

“Marriott now believes that approximately 8.6 million encrypted payment
cards were involved in the incident,” the company statement said Friday,
adding that 354,000 of those cards were unexpired as of September.

The company also said that while “there is no evidence that the
unauthorized third party accessed either of the components needed to
decrypt the encrypted payment card numbers,” it cannot rule out the
possibility.

The FBI is overseeing the investigation into the data breach, which experts
suspect was directed by the Chinese Ministry of State Security, according
to AP.

Chinese government officials have denied
<http://www.wionews.com/world/china-denies-role-in-marriott-hacking-case-182014>
involvement
in the attack and promised to carry out an investigation if they’re offered
evidence of wrongdoing, according to Reuters
<https://www.reuters.com/article/us-marriott-intnl-cyber-china-exclusive/exclusive-clues-in-marriott-hack-implicate-china-sources-idUSKBN1O504D>
.

Priscilla Moriuchi — an analyst with Recorded Future who worked for the
National Security Agency until 2017 — told AP that unencrypted passport
numbers are particularly useful for tracking people’s movements and
learning about their history.

“You can identify things in their past that maybe they don’t want known,
points of weakness, blackmail, that type of thing,” she said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190107/534531e3/attachment.html>