What Happened? Marriott Breach

Hotel Chain Hacked After Huge Attack 

By Najmeh Tima

“What Happened?” is an occasional feature by Digital Privacy News that looks back on some of the tech industry’s biggest data breaches last year.

While Marriott International is awaiting a final decision from the U.K.’s Information Commissioner’s Office (ICO) over a 2018 hack at its luxury Starwood hotel chain, the company’s systems were breached nearly two years later, in January 2020.

The data that eventually was leaked involved the contact details, loyalty-account information, personal details, preferences and partnerships and affiliations of as many as 5.2 million guests in Marriott’s Bonvoy loyalty program.

In October, ICO fined Marriott $23.9 million for the 2018 breach of approximately 339 million records, including guests throughout Europe. 

Marriott Responds 

Connie Kim, Marriott International’s senior vice president of global corporate relations and communications, told Digital Privacy News of the latest hack: “The activity identified by Marriott did not involve a hack, attack on, or breach of Marriott’s network or network security. 

“Rather, it involved the ‘unauthorized use of a Marriott business application’ to look up a higher than usual amount of guest information,” she added, “using legitimate login credentials issued to certain front-desk employees who were intended to have access to the application.”  

“The activity identified by Marriott did not involve a hack, attack on, or breach of Marriott’s network or network security.”

Connie Kim, Marriott International.

Kim said that “no account passwords or PINs, payment-card information, passport information, national IDs, or driver’s license numbers” were “leaked” or otherwise accessed or disseminated. 

Marriott, based in Bethesda, Md., identified the activity as “part of a regular review of the application’s usage data” in late February of last year and disclosed it publicly on March 31, she said. 

In the announcement, Marriott said it notified “guests of a property-system incident.” 

But the company did what federal law required, John Bambenek, president of Bambenek Labs, told Digital Privacy News. He also works for the SANS Institute in nearby Rockville, which monitors malicious activity on the internet.

“In the United States, breach-notification laws mean customers have a right to know their data is breached,” he said. 

Bambenek said Marriott was not legally entitled to do more except provide credit-monitoring services.  

‘They Don’t Know’ 

However, Eric Cole, a Virginia intelligence analyst, was more blunt about the Marriott breach. 

“They don’t know how that happened,” he told Digital Privacy News. “They only have that limited information, because they didn’t detect it themselves.” 

Cole is the founder and an executive leader of Secure Anchor Consulting, a corporate-security consulting firm in Ashland, Va.

He defined many such hacks as an “accidental discovery,” when a third party or IT individual noticed something unusual or strange happening. 

Big Hack, Few Details  

In its announcement, Marriott said that the company had identified an “unexpected amount of guest information” that might have been accessed via the Bonvoy program. It was through a guest-service application, based on the login credentials of two employees at a franchised property at the end of February. 

Marriott said it believed the unusual activity dated back to mid-January.  

“In the United States, … customers have a right to know their data is breached.”

John Bambenek, Bambenek Labs.

Upon discovery, the hotel said it disabled the workers’ login credentials. 

In cooperation with authorities, Marriott said it “immediately” began an investigation, implemented heightened monitoring and arranged resources to inform and assist affected guests. 

“This is the problem with a lot of organizations,” Cole told Digital Privacy News. “They’re spending all this money on prevention, trying to stop attacks. 

“When these preventive measures fail, there’s not a lot of details on the back end for them to understand or know what happened.” 

But Bambenek cautioned: “It’s exceptionally rare for a victim to release any information beyond the basics.” 

Marriott’s systems were breached — and personal information was lost, which means lawsuits were coming, he said. 

The day after the breach announcement, Marriott was hit with a class-action lawsuit from affected guests for failing to implement adequate and reasonable cybersecurity procedures necessary to protect their personally identifiable information (PII).

The 34-page suit, filed in U.S. District Court in Maryland, argued that as a result of Marriott’s data breach, the victims would continue to face a heightened risk of fraud and identity theft in the coming years. The action is pending.

Preventative Measures 

Marriott said in the announcement that it had sent emails to affected guests, which included a link to a dedicated website and call-center resources that could be accessed.

But Cole, the Virginia analyst, noted that email was not a secure form of communication — as it could be spoofed, modified or changed. 

“They don’t know how that happened.

Eric Cole, Secure Anchor Consulting.

Organizations need to embrace secure email, he said.

“Using a ‘subdomain’ could have built greater confidence in customers,” Vishal Masih, an intelligent analyst with Zephon, a company based in Texas, told Digital Privacy News. 

Bambenek advised: “Companies should put forms and information on their website instead of registering a new domain, because victims might not recognize the real domain from a fake one.”  

‘The Impact Is Large’ 

Though Marriott’s Kim said no personal data was leaked, such PII could be used by scammers for phishing attacks, Cole said. 

“The impact is large,” he told Digital Privacy News, “because attackers are ultimately after information where they can build a ‘profile about an individual.’”

PII from different breaches could be correlated and used for larger financially driven attacks, ultimately causing individual harm to victims. 

Bambenek said that the more he knew about a potential hacking victim, the more likely he could create a “believable” but fake phishing email to target the individual. 

Hackers, Zephon’s Masih warned, could impersonate hotel or the airline company employees or customers to access guest credentials for “fraudulent financial transactions — and even identity theft.” 

Prevention vs. Detection 

Kim noted that the company took several “additional” steps to protect and verify the legitimacy of the Bonvoy accounts affected by the breach. 

Still, “prevention is ideal, but detection is a must,” Cole told Digital Privacy News. “You can’t prevent all attacks. So, you must have better detection mechanisms in place.” 

“Using a ‘subdomain’ could have built greater confidence in customers.”

Vishal Masih, Zephon.

Masih said the breach could have been prevented if Marriott had enforced “multifactor authentication” for all staff with access to PII or other sensitive information. 

Bambenek observed that lack of “enough monitoring” of those accessing customer information and why could have been behind the data breach. 

“While 5 million people is a small subset of Marriott’s customer base, it’s still larger than what a reasonable employee would need to access to do their job,” he said. 

Cole called for “outbound monitoring,” where all outbound connections go through a proxy to monitor all input information.  

“Detection is not hard if you’re looking at outbound traffic,” he told Digital Privacy News. “It’s inbound prevention and outbound detection.” 

Najmeh Tima is a writer in Iran.