Danny Johnston / AP
Friday, Nov. 30, 2018 | 11:25 p.m.
NEW YORK — Security experts alarmed by the scope of a data breach at the Marriott hotel empire worry that stolen information on specific hotel stays could be used for burglary, espionage or reputational attacks.
Hackers stole information on as many as 500 million guests of the Marriott hotel empire over four years, obtaining credit card and passport numbers and other personal data, including arrival and departure dates.
The crisis quickly emerged as one of the biggest data breaches on record. By comparison, last year's Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
Chris Wysopal, chief technology officer with the security firm Veracode, said the attack goes beyond traditional credit-card theft, as information about a person's hotel stay "could be used to incriminate someone."
Jesse Varsalone, professor of cybersecurity at the University of Maryland, said hackers' access to the reservation system could be troubling if the hackers turn out to be, say, nation-state spies rather than those out simply for financial gain.
That information could mean knowing when and where government officials are traveling, such as to military bases or conferences, he said.
"There are just so many things you can extrapolate from people staying at hotels," he said.
And because the data included reservations for future stays, along with home addresses, burglars could learn when someone wouldn't be home, said Scott Grissom of LegalShield, a provider of legal services.
The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.
Email notifications for those who may have been affected begin rolling out Friday.
The full scope of the failure was not immediately clear. Marriott was trying to determine if the records included duplicates, such as a single person staying multiple times.
Security analysts were especially alarmed to learn that the breach began in 2014. While such failures often span months, four years is extreme, said Yonatan Striem-Amit, chief technology officer of Cybereason.
It was unclear what hackers could do with the credit card information. Though it was stored in encrypted form, it was possible that hackers also obtained the two components needed to descramble the numbers, the company said.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.
The breach of personal information could put Marriott in violation of new European privacy laws, as guests included European travelers.
It isn't common for passport numbers to be part of a hack, but it has happened before. Hong Kong-based airline Cathay Pacific said in October that 9.4 million passengers' information had been breached, including passport numbers.
Passport numbers are often requested by hotels outside the U.S. because U.S. driver's licenses are not accepted there as identification. The numbers could be added to full sets of data about a person that bad actors sell on the black market, leading to identity theft.
And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport.
But one redeeming factor about passports is that they are often required to be seen in person, said Ryan Wilk of NuData Security. "It's a highly secure document with a lot of security features," he said.
When the merger was first announced in 2015, Starwood had 21 million people in its loyalty program. The company manages more than 6,700 properties across the globe, most in North America.
While the first impulse for those potentially affected by the breach could be to check credit cards, security experts say other information in the database could be more damaging.
The names, addresses, passport numbers and other personal information "is of greater concern than the payment info, which was encrypted," analyst Ted Rossman of CreditCards.com said, citing the risk that thieves could open fraudulent accounts.
An internal security tool signaled a potential breach in early September, but the company was unable to decrypt the information that would define what data had possibly been exposed until last week.
Marriott, based in Bethesda, Maryland, said in a regulatory filing that it was premature to estimate what financial impact the breach will have on the company. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.
Elected officials were quick to call for action.
The New York attorney general opened an investigation. Virginia Sen. Mark Warner, co-founder of the Senate Cybersecurity Caucus, said the U.S. needs laws that limit the data companies can collect on customers and ensure that companies account for security costs rather than making consumers "shoulder the burden and harms resulting from these lapses."