Marriott Hotels Reservation Database Exposes Data of 500 Million Guests

More Data More Problems

This data breach will go down in the history books, not for how many customers’ records were exposed, but for the way Marriott fumbled the disclosure and resolution process. It seems that their data breach problems are getting worse by the day now that US customers have filed a Class Action lawsuit and lawmakers are calling for the company to pick up the costs of new passports. Many in the cybersecurity industry have identified that Marriott’s security issues should have been detected years ago. The lawsuit does not say how much cash they are asking for, but with that many people having their data stolen it will be a costly lesson in data security for Marriott, but yet another wake up call for the industry to enact stronger security measures.

Hackers stole the personally identifiable information of an estimated 500 million guests at Marriott’s Starwood properties. This information included all the basics like phone, email and home address, but also passport or ID numbers. They also claimed that an unknown number of records contained encrypted credit card data. Encryption is not a silver bullet, If hackers are more advanced or a Nation State for example it is possible to decrypt that data. The worst part is that Marriott had a smaller data breach in 2015 and somehow missed this vulnerability. It is mind-blowing that the intrusions started way back in 2014 and were not discovered.

After the hack was discovered Marriott did report that the data had been stolen to law enforcement. According to some reports they are also working with the US Securities and Exchange Commission.
This breach will most likely be a new test to see how European customers’ data will be dealt with under the new GDPR rules. It will most likely amount to a massive fine because of the amount of sensitive data that it was over a considerable amount of time with the first download of data roughly 4 years ago.

Anytime there is a large scale breach sooner or later the data will be for sale on the dark web and then cyber criminals start targeting victims. We here at Security Discovery have seen time and time again how database security breaches can affect a company or origination. Your data security plan should always include regular penetration testing and security audits. Simple prevention could go a long way when it comes to the real damages of a data breach.

About the Author

Jeremiah Fowler
Jeremiah Fowler: Senior Security Researcher, Communications Specialist and Journalist at SecurityDiscovery.com. I care about data protection, privacy, cyber security issues, and responsible disclosure. Contact me: j(at)securitydiscovery.com