The Marriott International breach: reputational and financial damage

At the end of November, the Marriott hotel chain reported that its guest reservation database had been hacked, an incident possibly affecting up to 500 million people. The system, used to book rooms at Marriott's Starwood properties, had apparently first been infiltrated in 2014.

Information stolen by the hackers includes names, passport numbers, email and physical addresses, phone numbers, dates of birth and travel details. In some cases, credit card data - including payment card number and expiration date - may also have been lifted.

Some US officials investigating the incident have claimed that the Chinese intelligence services are responsible for the attack, as it appears to be similar to hacking operations seen to be orchestrated by Beijing in 2014. Not only are the techniques and tools used reportedly much the same, but this intrusion has gone on for a very long time: it has allowed the infiltrators the time to conduct an ambitious cyber-espionage exercise presumably aimed at collecting as much useful and up-to-date data as possible. State-sponsored groups are certainly more likely to sit quietly in the background for much longer periods than hackers who may simply prefer to enter and exit a system as quickly as possible with a cache of stolen credit cards.

However, there has also been some debate as to whether or not Marriott’s network was actually hacked. One security researcher has pointed to the lack of publicly disclosed information, and has speculated that an “unauthorised user” such as an ex-employee or contractor could perhaps have been responsible for the breach and could even be attempting to extort money from the company.

Whatever the results of the investigations, one thing is certain: the hotel industry is an attractive target for cyber criminals, and Marriott International is just the latest victim.

This year alone, several prominent hotel chains have been targeted.

For example, in August China’s Huazhu Hotels Group, one of the world's largest hotel operators, announced that it was investigating a data breach affecting 130 million customers. The stolen information contained email addresses, phone numbers, bank account numbers and booking details. It was quickly advertised for sale on Chinese Darknet forums.

In June Japan-based Prince Hotels reported that 124,963 customers may have had their data stolen after a cyber attack that took place on 15 and 17 June this year. A spokesman for the company said the attack on its English, Chinese and Korean website, which is operated by Fastbooking Co., led to the personal information of 58,003 people being compromised, while the theft of credit card data was involved in the remaining 66,960 cases. Around 86 percent of affected customers were non-Japanese: all had used the website to make their reservations, and all had stayed at one of the 43 Prince Hotels in Japan between May and August 2017. Fastbooking, based in Paris, supplies hotel booking software to more than 4,000 hotels in 100 countries.

Hotels store a vast amount of lucrative personal data, including names, addresses, passport numbers, travel plans and credit card details; customers staying on the premises are also likely to use the on-site restaurants or shops, leaving them open to further risks from malware-infected POS systems.

Once a successful attack has been carried out and the very valuable data has been stolen, the hackers have various options on securing the greatest financial return from it.

Understanding only too well the reputational damage to a business, a criminal may choose to hold the data to ransom, demanding a sum of money for its decryption or return.

Another popular option is to advertise the data on the Darknet, where it can be sold anonymously to the highest bidder.

Advertisements offering the sale of data stolen from hotel groups are relatively common on Darknet marketplaces. For example, one typical listing on a Russian forum in August included alleged data from Hampton by Hilton and Radisson Hotels.

While some mainstream news sites reported that the Marriott data had not appeared for sale on the Darknet, we did in fact find a listing on one well-known marketplace just a couple of days after the incident had been disclosed. The advert - “Marriott Customers Database – 1M entries” - included some 24 databases, with one million entries allegedly contained in each one. Each database was selling for $7,500. No sales have been made so far, although the offer has already been viewed over 60 times.

Whether or not this is a genuine listing is not possible to determine; nor can we comment on the data contained in it or speculate on whether it has been sold: such transactions necessarily take place anonymously and are conducted via DM. As to the vendor’s credibility: that is another question that cannot be answered. Suffice to say that scamming is another popular activity on the Darknet.

The Marriott breach could prove to be one of the biggest data thefts discovered to date. While it is too early to estimate the financial and reputational damage to the company, the various fines and court costs which it is facing are huge.

The financial penalties levied under the EU’s General Data Protection Regulation (GDPR) alone could total up to four percent of the hotel chain’s annual turnover. A separate fine may also be applied relating to any failure to disclose the breach in the timespan (72 hours) stipulated.

The GDPR came into force on 25 May 2018. Some experts may argue that the breach took place long before that and therefore the rules (and fines) should not apply in this instance. However, in April this year a European Commission official stated that data breaches that took place before 25 May but have come to light since then will still be subject to the regulations.

An interesting legal debate involving GDPR enforcement is therefore certain to follow as the Marriott case is examined in the coming years.

Meanwhile, the company will also be dealing with any number of lawsuits as it seeks to recover from this highly damaging blow to its business reputation.