Report: Marriott hack could be Chinese intelligence

Photo credit: matejmo/iStockPhoto (The average cost of a data breach has grown to US$3.86 million, a new report suggests (Image matejmo / iStockPhoto))

Private investigators for Marriott International have said Chinese hackers are emerging as suspects in the security breach that left the personal information of up to 500 million hotel guests exposed. In late November, Marriott disclosed that it had been the victim of what is shaping up to be the biggest data breach of all time. The breach allowed hackers unauthorized access to the Starwood Hotels & Resorts Worldwide network starting in 2014. Marriott acquired Starwood in 2016 for $13.6 billion, creating the world’s largest hotel operator.

Sources familiar with Marriott's investigation told Reuters that the methods used in the recent hack are similar to the  “hacking tools, techniques and procedures” that Chinese hackers have deployed before. 

From the report: Chinese hackers may have been behind a campaign designed to collect information for use in Beijing’s espionage efforts and not for financial gain, two of the sources said.

While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have been posted online previously.

Identifying the culprit is further complicated by the fact that investigators suspect multiple hacking groups may have simultaneously been inside Starwood’s computer networks since 2014, one of the sources told Reuters.

“China firmly opposes all forms of cyberattack and cracks down on them in accordance with law,” Chinese Ministry of Foreign Affairs spokesman Geng Shuang told Reuters.”If offered evidence, the relevant Chinese departments will carry out investigations according to law.”

Marriott spokeswoman Connie Kim declined to comment, saying “We’ve got nothing to share,” when asked about involvement of Chinese hackers.

Government Concerns

Last week, it emerged that the chief financial officer of Huawei, one of China’s biggest tech exporters, had been detained in Vancouver, charged with violating sanctions against Iran, and faced deportation to the U.S. The U.S. government has been putting pressure on Western governments in recent weeks to drop support for the company’s 5G infrastructure equipment amid concerns about its alleged links to Beijing.

Huawei has repeatedly stressed it operates independently of the Chinese authorities, but that has failed to allay some Western government’s concerns. Last month, New Zealand’s intelligence agency blocked one of the country’s telecoms providers from using Huawei equipment as part of its 5G rollout.

The U.S. National Security Agency and the U.K.-based National Cyber Security Centre have not yet passed public comment on the possible identity of the Marriott attacker.

Hilton, Hyatt Hotels Corporation and InterContinental Hotels Group have all been targeted in past attacks, though the Marriott breach dwarfs those hacks in terms of number of guests affected. For approximately 327 million of these Starwood/Marriott guests, the info includes some combination of name, mailing address, phone number, email address and passport number.

Picking up the Pieces

After news of the Marriott breach came out, Sen. Charles E. Schumer (D-N.Y.) called on the hotel chain to foot the bill and replace passports that potentially were compromised as part of the breach. Marriott quickly promised to cover the cost for as many as 327 million people whose passport numbers may have been exposed. At a fee of $110 per passport, that would put Marriott on the hook to pay up to $36 billion—a price tag equivalent to the value of the entire company, per its market capitalization. 

But there is a catch. The company said it will follow through on reimbursement only in instances where it “determine[s] that fraud has taken place.” 

Marriott also is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Guests from the United States who complete the WebWatcher enrollment process will also be provided fraud consultation services and reimbursement coverage for free.