Posted on January 7, 2019 at 11:27 PM
Over 5 Million Passport Numbers Stolen in Marriott Attack had no Encryption
The hack of Marriott International, the biggest hotel company in the world, has undoubtedly been one of the largest hacks discovered in 2018. This becomes even more significant considering that the previous year was filled with massive attacks, many of which affected millions of people.
Yesterday, January 4th, new information regarding this particular hack became available, when Marriott itself admitted that around 5.25 million stolen passport numbers were not encrypted. In other words, the passport numbers were perfectly readable by anyone who gained access to them. While this is only one-quarter of the total number of stolen passport numbers (20.3 million), it is still genuinely concerning.
The majority of information that was stolen over the years-long attack that affected the hotel was confirmed to be encrypted. This means that it was changed into another code, which makes it unreadable to those who do not have a proper digital key which decrypts information. The hotel also noted that the original estimates of 500 million affected customers were wrong. During the investigation, which is still on-going, the real number of unique guests that were affected by the data leak is closer to 383 million.
Also, Marriott’s president and CEO, Arne Sorenson, stated that the company would continue to notify customers of new developments, as well as address their concerns. One example of this is the hotel company’s offer to pay for new passports for everyone whose passport data was stolen from the hotels’ systems and involved in some type of fraud.
On the other hand, the State Department released a statement, advising affected individuals not to panic, as the passport numbers alone are not enough to create a fake passport. One of the use cases for stolen passport numbers revolves around tracking people during their travels, which is something that the US intelligence agencies were known to do with passport numbers belonging to foreigners.
Another question that emerged with this information is why some numbers were encrypted, while others were not? One answer may lie in different protocols for handling such information. Whatever the case may be, those whose passport numbers were encrypted are not expected to be in any danger of information misuse, as there is no proof that the group behind the attack accessed the decryption key necessary for unlocking the stolen information.
In any event, whether the number of affected individuals is 500 million or 383 million, this is still one of the largest data thefts in history. Other massive attacks include the hack of Equifax in 2017, when around 140 US citizens were affected, as well as the Target hack of 2013, which affected 40 million customers.
Who was responsible for the attack?
One of the largest mysteries regarding the attack revolves around the very identity of the attackers. According to experts — some of which were FBI employees — it is entirely possible that China’s Ministry of State Security directed the attack. There is still no firm evidence to support this theory, and the US government has not accused China of being involved as of yet.
However, the attack has intrigued numerous private cyberintelligence groups, and after looking into the breach, they have found multiple similarities to other attacks which are known to be conducted by Chinese hackers. Marriott itself has not made any accusations either, and the identity of the attackers remains unresolved.
Meanwhile, Chinese government officials made their own official statement, denying their involvement or knowledge regarding the incident. In December 2018, weeks after the news of the hack broke out, Chinese Ministry of Foreign Affairs spokesman, Geng Shuang, stated that the country opposes cyber attacks and that it cracks down on all those who violate the law by engaging in such activities.
Furthermore, the spokesman added that the country’s government would be more than willing to conduct its own investigation if offered evidence of their alleged involvement. Many remain skeptical of this statement, especially after one of the Ministry of State Security of China’s top official ended up being arrested in Belgium last year for playing a central role in a hack that targeted the US defense-related companies. However, as this incident has nothing to do with the attack on Marriott hotels, investigators are still trying to find a solid link before making further claims.