Marriott Hotels Hacked! Data of 500 Million Guests May Be Compromised

Still among the numerous Google searches today on this massive security breach story, I saw the Marriott Ad running “We’re Reinventing Travel with Innovation and Sophisticated Design. Reserve Now. Mobile Check In. Bold Innovations. Best Rate Guarantee. No Charge or Cancel Fees”.

They may want to add this “But we cannot guarantee the protection of your information like your name, address, phone number, passport number or credit card info, so if you are cool with that, then come sleep soundly with us!”

This hack resonates with me personally because my credit card got a $3,000 charge for Air B&B in Europe soon after my stay at a Marriott in Washington this past summer. Coincidence? Maybe. When I discovered it, my credit card company immediately blocked the transaction and I obviously did not have to pay. However, Air B&B actually tried to question if I made the purchase until they realized that it was absurd. Still today, the Air B&B refuses to provide me with information on whom made the unauthorized transaction with my credit card…apparently, it’s “confidential”. One would imagine that to catch the culprit is to keep quiet, have the bad actor go to the accommodation and send the police to arrest them? Could make for another fun reality TV Show – To catch a credit card hacker?

You can visualize the Marriott PR people and management on red-alert frantically trying to spin the bad news and downplay the problem. Brace for the short-term pain and hope that storm blows over soon. Meanwhile for years to come, Marriott’s guests will most likely have to continue dealing with the fallout while its business as usual for Marriott and the industry. In time, who will remember that the pain that they are feeling actually originated from the Marriott data breach?

The company said that an authorized party copied and encrypted information. Sounds familiar? Well it’s nothing new as it’s happening all the time. However, what is quite troubling is that the company also said that the unauthorized access has been happening since 2014. To put this in perspective, the breach announcement was only made on November 2018, and you guessed it on a Friday! It’s like they all went to the same spin-doctor school!

Here is what my IT Security contributors have offered so far…

• The first identified unauthorized access goes back to 2014. So, why was that allowed to happen and not taken care of? There are security tools like Barrier1’s AI that identifies and stops unauthorized access. Something like this may have helped!
• Generally, access requires a lot of scanning before any type of launch happens. After all the cyber criminals have to learn what their target has in front of them. They do NOT just go guns a blazing. Were the scans identified and blocked and did the system learn and remember. Where did the attack does come? Most attacks are not launched form the same IP address.
• The files were encrypted with AES-128. Now, AES-128 is not the most secure and most likely the cyber criminals had tools to decrypt the files. Again, prior to the cyber launch, cyber criminals would not know this. They would find that out during the “recon” stage.
• Pearson VUE Systems seems to be the software being used. That had been breached earlier. So, maybe there were parts still embedded that help launch a new or mutated version.
• The 54 affected hotels are in a variety of different locations. SO, we need to find the commonalities of these 54.

I keep saying over and over, that companies are simply asking for too much information as they race to get as much data to profile their customers and exploit its business intelligence. If Marriott can be hacked, what about all of the smaller hotels who not only ask you for your information like driver’s license, but some of these morons actually take a photo copy of it! Would it surprise you if they just dump the photocopies in the garbage? What a field day for even the low-tech hackers that don’t even need a computer.

Companies are all collecting data like it is the “new gold” (and, it is) and their excuses for doing so ranges from its company policy to you earn points to I don’t know, but I want your info anyway.

These companies may say that they are concerned about your privacy and that they do everything to protect you. They may even have very sophisticated privacy policies written on their web sites. What if all this is just smoke and mirrors to protect their legal exposure and make you feel comfortable in giving up your data? In reality, it is probably more like cross your fingers, close your eyes and hope hackers do not get your data!

As a publisher of technology news and from my countless conversations with leading security experts who are on the front-lines of cyber attacks, everyone is vulnerable! The hackers are changing the rules of the game, because they currently control the game. The IT Security companies are smart people trying to fight back, but there is still no clear path to prevention.

With all of the zillions being spent on data security protection, still over 100,000 malicious instances are getting through network systems and human beings are one of the biggest culprits. Next time you give someone your information, take a good look at them and ask yourself… Is this person capable of protecting your private information? How many people have access to this system? How many points of potential compromise are there? And, if every employee does everything to lock down their system and use complex passwords and bio-metrics, then what about the disgruntled employee who decides to sell access.

So now what? Nothing! Marriott will hopefully find the problem. Spend more money to hire better security experts and plug the hole with more security tools. All the while this is going on, hackers have already moved on to digging the next tunnel into their system. The cat and mouse game is forever.

What will actually stop this? At this point, probably nothing, but maybe a stronger law could prevent companies from requesting too much of your data or making a copy for “their records”. Europe’s GDPR is one step in this direction. Credit card compromises are already taken care of by the high interest rates that the banks charge its customers (leave it to the banks to flip this problem into a profit center).

Hackers have spawned a massive industry using the #1 sales currency – FEAR! While the hackers make mountains of money, others make oceans more fighting them. Hackers may be the best thing that has ever happened to the IT Security industry and a nuisance for those companies who are overeager to extract as much data from their customers as possible. In the end, the consumers are left to pay the bill and endure the real consequences.

Which company will be hacked next? To consumers, it does not matter what happened, how or who did the hacking. What matters is that yet again, their personal information was stolen from the hands of companies that forced them to hand over. Of course, businesses need to protect themselves from random people trying to rip off the establishment, but is that worth the loss of the privacy and information of millions of customers? Surely there is a better way?

You can either become numb to the problem or be wise of what information you give up. Push back! If privacy is outlawed, only outlaws will have privacy.