Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Marriott Confirms Breach Impacts as Many as 500 Million Guests

DZone's Guide to

Marriott Confirms Breach Impacts as Many as 500 Million Guests

The recent Marriott breach could impact as many as 500 million guests.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

Marriott International has disclosed that the guest reservation database of its Starwood division has been breached, affecting as many as 500 million guests. The company has also confirmed that there has been unauthorized access to the Starwood network since 2014.

According to a report from the BBC, for roughly 327 million guests, the attacker was able to access personally identifiable information including a combination of name, address, phone number, email address, passport number, account information, date of birth, and gender. In some cases, the compromised records also included encrypted credit card information. The company is still trying to determine whether or not the encryption keys have also been stolen.

In a statement, Marriott said that on Sept. 8 of this year, it received an alert from an internal security tool that an unauthorized user had attempted to access the Starwood database in the US. An investigation into the incident confirmed that an attacker had indeed copied and encrypted the information. Marriott was able to decrypt the information to confirm that the contents were from the Starwood guest reservation database.

While it is still unclear how the attackers penetrated the organization, Chris Wysopal, co-founder and CTO of Veracode, said that the breach could have gone undetected on the network for so long because attackers are getting better at making sure their attacks don’t contain indicators of compromise (IoC).

Marriott bought Starwood, which owns brands including the W Hotels, Sheraton, Le Méridien, and Four Points by Sheraton, in 2016 to create the largest hotel chain in the world. Marriott-branded hotels use a separate reservation system on a different network.

The incident has been reported to both law enforcement and regulatory authorities, and the UK's data regulator is investigating. While Marriott is headquartered in the US, it works with and hosts European citizens, so it must ensure that it meets GDPR compliance. It’s anticipated that Marriott International will receive a substantial penalty because of the size and scale of the breach. Wysopal said that given that this is one of the first major breaches under both GDPR and the new California Consumer Privacy Act — “it will be a bellwether for breaches to come.”

Marriott is emailing guests affected by the breach and will not send emails with any attachments. Additionally, the company is offering its guests a free membership to WebWatcher, a personal information monitoring service, and is instructing guests to watch their loyalty accounts, change their passwords, and check credit card statements for unauthorized activities. An informational website and call center have also been set up to support guests during the investigation.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,breach ,data breach ,hack ,news ,marriott

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}