Chinese hackers may have been involved in the massive breach reported last week by Marriott’s Starwood division, according to Reuters. Hacking tools, techniques and procedures used in earlier cyberattacks were discovered by private investigators looking into the breach of the hotel conglomerate’s reservation system.
The personal data of up to 500 million guests was stolen in the hack, which began four years ago.
The revelation suggests the possibility that the attack on Marriott’s reservation system was orchestrated for use in Beijing’s espionage efforts and not for financial purposes, sources told Reuters. However, even while China has emerged as the lead suspect in the attack, other parties had access to the same tools, so it is possible someone else was involved, the news agency said.
A source also told Reuters that it will be difficult to identify who the culprit is because investigators believe multiple hacking groups may have simultaneously infiltrated Starwood’s computer networks since 2014.
Already, tensions are high between Washington and Beijing amid an ongoing tariff dispute and the theft of trade secrets, and this would only exacerbate things if China is identified as being behind the attack. A Chinese Ministry of Foreign Affairs spokesman has strongly denied involvement and said the country opposes all forms of cyberattacks.
Customers’ names, addresses, phone numbers, birth dates, email addresses and passport numbers were stolen in the breach, along with a small percentage of encrypted credit card data.
Marriott became the world’s largest hotel operator after acquiring Starwood in 2016 for $13.6 billion, with its Sheraton, Westin, W Hotels, St. Regis, Aloft, Le Meridien, Tribute, Four Points and Luxury Collection hotel brands.
Notification Email Looked Suspect
Last week, Marriott sent out millions of emails notifying customers about the breach, but the sender’s domain “email-marriott.com” did not look like it came from Marriott. It is registered to third-party firm CSC, which sent the email on the hotel chain’s behalf, and does not have an identifying HTTPS security certificate, noted TechCrunch.
To add insult to injury, the email can be easily spoofed, the site said, and often, after a data breach, scammers will try to trick users into turning over their private information by sending a stream of messages embedded with fake websites. It is human nature to think you’re at risk after a breach, making people more susceptible to being duped, TechCrunch observed. Marriott International has agreed to pay for passport replacements if the company finds that customers have been victims of fraud, The Washington Post reported.
Security experts and government officials have expressed concern that the passport numbers, along with the other personal data exposed by the hack, could pose serious risks of identity theft — and be a threat to national security, the paper said.
It’s too soon for Marriott to estimate the financial ramifications of the cyberbreach, CFO Leeny Oberg told investors on a call Wednesday.
The company could face $200 million in fines and litigation expenses and could spend about $1 per customer notifying victims and providing free data monitoring services, according to Blomberg, citing a note from Morgan Stanley.
Hospitality was the third-most targeted industry for hacking, according to a report this year from an information security firm Trustwave Holdings.