Oh, the Marriott Hack affecting 500 million guests is much bigger, much more serious than originally thought.
Hackers have had a few years to perfect their craft and crime, manipulating credit card info and passport data, so that any post detection prevention mechanism is basically for knots.
As Reuters reported, investigators believe the perpetrators of this attack were Chinese spies, as the breach matched Beijing’s style.
Here’s the latest update.
Marriott’s $36 billion payback promise
Hackers accessed information in the Starwood reservation system, which affected brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and other properties in the Starwood portfolio, the company said.
Hackers has had an early start, 2014 to be exact, 2 years before Marriott acquired Starwood, and 4 years is an eternity when it comes to breaches.
“This oversight in the M&A process calls to mind another recent, post-acquisition hacker-surprise: Yahoo, whose two mega-breaches remained undetected when the company sold to Verizon last year. Coincidentally, Marriott’s hack is the biggest suffered by a corporation, second only to those at Yahoo,” says Fortune in a recent report.
US Senator Charles E. Schumer called on the hotel chain to foot the bill and replace people’s passports which were potentially compromised as part of the breach.
“Marriott quickly promised to cover the cost for as many as 327 million people whose passport numbers may have been exposed. At a fee of $110 per passport, that would put Marriott on the hook to pay up to $36 billion—a price tag equivalent to the value of the entire company, per its market capitalization. A devastating payout,” explains Fortune.
It’s not going to happen.
The company said it will follow through on reimbursement only in instances where it “determine that fraud has taken place.”
What if this whole thing was espionage and passport data was used for illegal cross-border activities? Then, victims would not be reimbursed!
A passport mess
Hundreds of millions of passport numbers were exposed with Marriott’s hack.
Counterfeit passports in a classic black market industry are now easy. When mixed with other personal details about someone, online fraud and abuse take place.
Passport numbers lend an air of legitimacy to other information like name, address, date of birth, and email, potentially allowing scammers to open bank or credit card accounts in victims’ names.
Some credit card numbers were also stolen as part of the breach, Marriott says, and they were encrypted with the algorithm AES-128—a reasonably robust choice—but Marriott says the attackers may have also compromised the decryption keys needed to unlock the data, according to Wired.
What is Marriott Doing?
Marriott says it is cooperating with law enforcement and regulators in investigating the hack, and the company hasn’t finalized the number of people impacted.
“It currently seems that about 170 million Marriott customers only had their names and basic information like address or email address stolen. But the bulk of the victims—currently thought to be 327 million people—had different combinations of name, address, phone number, email address, date of birth, gender, trip and reservation information, passport number, and Starwood Preferred Guest account information all stolen,” reports Wired.
Last Friday, Marriott began rolling out batches of notification emails to impacted customers. It has also established a call center and breach notification website, to check whether your information was stolen, or how much of it.
The company is also offering enrollment in the identity monitoring service WebWatcher for one year to anyone who thinks they were impacted by the four-year network intrusion.
Who else got hacked lately?
In a blog post on Monday, Quora CEO Adam D’Angelo admitted that Quora was breached. The company discovered the problem last Friday, and more than 100 million accounts may have had their data taken. Quora also said that the breach also might affect any “linked networks,” aka Facebook or Google, if you used those to log into Quora. Though no financial information is attached to Quora accounts, there’s a ton of personal and social information available for each account.
Business Insider (BI) revealed that on Monday, Google announced that it would be shutting down Google+ four months early after another bug involving user data was discovered in November.
The company said 52.5 million users were affected by this issue, which exposed information including names, email addresses, occupations, and ages, between November 7 and November 13. Google said it has fixed the bug and will begin contacting those whose information has been compromised.
“Previously, Google said it was shutting down the social network in August 2019. Now, that sunset date has moved up four months to April,” said BI.