Friday’s disclosure from hotel giant Marriott International Inc. that hackers compromised information on up to 500 million guests held in its Starwood reservation system raises the question of whether fraudsters will be able to use an unknown quantity of encrypted payment card numbers because they also might have stolen the decryption keys.
Bethesda, Md.-based Marriott in a statement said it received an alert Sept. 8 from “an internal security tool” about an attempt to access Starwood’s U.S. guest database. Marriott hired security investigators and determined there may have been unauthorized access to Starwood’s network since 2014. Marriott said it hasn’t finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made reservations at Starwood properties, which include the Sheraton, Westin, and W Hotels brands.
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” Marriott said.
An undisclosed number of payment cards were compromised in the breach. “For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128),” the statement says. “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
A Marriott spokesperson did not respond to a Digital Transactions News question about the actual number of cards compromised.
So how worried should Starwood guests be about their card information? If the cyberthieves don’t have the decryption keys, probably not too much, according to data-security analyst Julie Conroy, research director at Boston-based Aite Group LLC.
“That encryption standard is quite robust—while it’s been broken in academic research studies, the hacks have required a huge amount of computing power,” Conroy tells Digital Transactions News by email.
Even if the fraudsters have the decryption keys, there’s a question as to how much payment data they’ll find that isn’t circulating in cyber-theft networks already.
“I think all of the other [guest] data that was exposed in the clear is of much greater concern—as we’ve seen from past breaches, this data has a lot of value in fraud schemes as well,” Conroy says. “Since this has been apparently going on since 2014, I suspect a lot of this data has already been actively used and sold in the underweb, so there’s not an immediate concern about a big monetization event per se as we had after the Target breach, for example.”
Conroy adds that the data “has probably already been used for phishing, loyalty-point fraud, and social engineering in a variety of different ways. It just reinforces the fact that the bad guys have full access to all of our static data, and reinforces the need to incorporate digital and dynamic data in our risk-assessment processes.”
Marriott acquired Starwood Hotels & Resorts Worldwide Inc. in September 2016, creating a behemoth with 30 brands and 5,700 properties worldwide. The KrebsOnSecurity blog notes the then-independent Starwood reported in 2015 that it found malware on point-of-sale systems in more than 50 properties in the U.S. and Canada. The compromise may have begun as early as November 2014. At the time, Starwood said its restaurant, gift-shop, and other POS systems were not linked to its reservation system, according to Krebs.