The age of data breaches is upon us in full force. One month ago, Marriott released a statement confirming a large-scale data breach. This leak affected hundreds of millions of Marriott customers. Although authorities detected the leak in November 2018, Marriott confirmed it started years ago. Now after a month of speculations around the nature of these data leaks, Marriott has revealed more information from their ongoing investigation into the matter.
Marriott claims that the earlier number given for affected customers is lower than previously thought. However, the fact remains that it is still one of the worst personal data breaches of history. Its closest competition is Equifax leak – that affected around 150 million Americans. Marriott also claims that the breach got millions of passport numbers belonging to their customers. This makes it even more awkward for the largest hotel company in the world.
When Marriott broke the news in November, they also revealed that hackers had been at it for four years. Authorities had been unable to detect data breaches that had been subtly happening since 2014. Personal information like credit card numbers, birth dates, hotel, and departure dates, as well as phone numbers, were all stolen.
As of now, the news is both good and bad. The number of victims has decreased from five hundred million to less than four hundred million customers. However, tens of millions of customers have lost their passport numbers to the breach. An official statement by Marriott confirms that 5.25 million unencrypted passport numbers were taken. Moreover, 20 million encrypted passport numbers have been lost as well.
It also confirms that the new upper limit for victims of the breach is 383 million, presumably negating the previous number of 500 million. The statement, however, does not officially confirm a this.
The piece of vital information to take away from this is the fact that Marriott never encrypted five million passport numbers. This puts a noticeable question mark on several of their customer-care claims.
Arne Sorenson is Marriott’s President and CEO. She said in a statement:
“We want to provide our customers and partners with updates based on our ongoing work to address this incident as we try to understand as much as we possibly can about what happened. As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott.”
Several news agencies report that FBI is taking on the investigation to understand the true nature of this breach. On a segment at Fox and Friends, the US Secretary of State Mike Pompeo openly claimed that China was behind the Marriott hack. Although the Department of Justice and Department of State both refused to confirm his claims, an NYT article confirmed that China was the primary suspect.
Other than the part about Marriott not encrypting millions of passport numbers, the most appalling part of this investigation is the conclusion that it could be China, though they have denied involvement.
Stolen passports could be a potential gold mine for an intelligence agency with malicious data-gathering plans. Judging from recent developments, this data breach could very well turn into an issue of national security.