This is indeed bizarre to put it mildly—the website of a global hotel chain keeps getting hacked for as long as four years and the management was not even aware that personal information relating to 500 million guests stands exposed to cybercriminals.
Yes, this is unbelievable but true, and the hotel chain is Marriott. The hack at hand has been labeled one of the biggest-ever breaches of consumers’ personal data.
It has to clarified that it is not the hospitality giant’s own branded hotels that have been affected but those in the Starwood group that Marriott now owns after its acquisition in 2016. It appears a third party gained unauthorized access to Starwood’s systems back in 2014. Marriott detected the hack in September, but didn’t release a notice until November 30.
Many Hotels in the List
Sheraton, W Hotels, Le Meridien, Westin, The Luxury Collection, St. Regis, Aloft, Four Points and Element are the affected hotels. Their reservation systems were penetrated by hackers who have been stealing vital data like the guests’ names, their passport details, emails IDs and other personal information.
The most damaging part of this is that the hotel chain claims the data was stored in encrypted form and the hackers have managed to steal the decryption keys as well.
Experts Express Concerns
Some factors from this Marriott hacking story have not only surprised the cybersecurity experts, but are having them really worried as to the consequences of such data theft.
One is, as mentioned, the fact that the hospitality giant had such a weak data security regimen that did not detect vulnerabilities in their reservation system for such a lengthy period. Organizations need to have some kind of security audit done and where they are holding such sensitive data of millions of customers, there is no way Marriott could have overlooked this.
The other is the kind of risks the stolen data can expose the victims to. If someone has made a booking in one of these hotels for a period of a week, for example, the hackers will know they will be away from their place of living and they can easily trade this information with thieves. Some examples are cited of people in sensitive professions—such as politicians, federal law enforcement agents or military personnel—being especially at risk if data revealing their whereabouts is leaked. Professional hackers can sell such information to enemy state actors to dangerous ends.
Marriott on Damage Limitation Mode
Marriott has issued an official statement on the hack and is in the process of sending out messages to the affected individuals to take precautions and to change their passwords.
The process of identifying the guests who might figure in this large volume of 500 million may take some considerable time.
Guests Have Gone to Court
Meanwhile it is learnt some of the customers of Marriott have filed lawsuits in the U.S. Maryland is where the company has its headquarters and there is a national class action lawsuit filed there. Another suit filed in a court in Oregon has made a claim of $12.5 billion in damages from Marriott and some of the charges being mentioned in these lawsuits include negligence and unfair trade practices.
There is also a class action lawsuit filed on behalf of Marriott shareholders, who experienced massive investment losses after the announcement was made.
In the coming days, data security is bound to become the most important issue that all corporate entities will have to deal with. It is no longer the case where only credit cards and bank account details were considered the subjects to threats. Any online resource which collects your name, address and email ID has to own the responsibility for the safety of such information.