Dan Munro - Dev-Sec-Ops Engineer   Archives  Recommendations  About

Marriott Hack: An Update

This is an update on the initial news report, which broke in November 2018.

In addition to 5.25 million unencrypted passport numbers, 20.3 million encrypted passport numbers were also swiped. This is a huge admission, and represents one of the largest known compromises of passport numbers in history. Still, the passports represent only a small fraction of the total data compromised.

Scope Of The Breach

At least there is silver lining. The estimated number of affected “unique guests” is down from 500 million – which was part of the original estimate. According to a combination of internal and external computer forensics teams, the number has been revised down to 383 million.

Of those accounts, information such as names, addresses, phone numbers, email addresses, DOB, gender, reservation information, and encrypted credit card information were exposed.

A total of 8.6 million encrypted credit cards were exposed, with 354,000 unexpired as of September.

Passport Numbers And Reservation Information

One pernicious aspect of this hack is what type of information got exposed, and what that means for affected individuals. Passport numbers and reservation information can be very useful in reconstructing travel history.

This is normally pretty bad. And considering that experts suspect China perpetrated the hack, the value of past location data takes new meaning. High value targets for an authoritative regime, such as spies, social dissidents, foreigners, ambassadors, who have stayed in a Marriott, should have cause for concern.

Written on Jan 4, 2019.