01.12.2018 – Did it start with a Phishing Attack? Jean Martin’s podcast on ITSP Radio investigates the theft of 500 million records at the Marriott Group. The Marriott Data Breach led to the data of half a billion Marriott guests leaving the company.
Jean speaks with his guests Colin Bastable of LUCY Security and Matt Mosley of Tevora about the Incident:
- What has happened
- Why the hotel industry is a regular target of such attacks
- What impact will this incident have on industry and consumers?
- What penalties will be imposed? (GDPR)
Although the incident was discovered in September 2018, the Marriott Group acted quickly and announced in a statement on 30 November 2018 that the Starwood Hotel reservation systems had been hacked. The internal investigation then revealed that unauthorised access could be traced back to 2014! From more than 327 million guests, data such as name, mailing address, phone number, email address, passport number, Starwood account information, date of birth, gender, communication preferences and overnight information flowed out. For some of the guests also credit card information was stolen, but this was encrypted (Advanced Encryption Standard encryption AES-128).
It started with a Phishing Attack – The discussion partners assume that the attack most likely began with a phishing attack. The interesting fact was also noted that the attacks apparently continued during and after the merger between Starwood and Marriott.
Why this is a treasure? The hacker was able to capture an incredible amount of data with the attack. They are now in possession of intimate, personal identification data from half a billion tourists, businessmen and government employees.
“None of these companies are able to protect your customer data” – The 25 minute podcast gives food for thought. We are all customers and we should consider how to share our intimate data. The Mariott case will probably now be a GDPR / DSGVO preference case, with probably very high penalties, but the damage is there!
Listen in and think about it! Do you surf public unprotected networks? Do you store your credit card details? Do you share your real birthday?