Security & Fraud

2015 Marriott Breach: Prelude To 2018 Cyberattack?

Marriott International, which announced last week it was the victim of a hack in which the bad guys accessed its reservation database for Starwood properties, could have stopped the breach years earlier.

According to a report in the Wall Street Journal citing cyber security specialists, the breach in which the personal information of as many as 500 million customers was exposed began in 2014, going undetected until September of 2018. In 2015, the Wall Street Journal reported Marriott had a smaller breach in which malware was installed on point of sale systems in hotel restaurants and gift shops. That was announced four days after Marriott announced it was buying Starwood Hotels & Resorts, noted the paper. While Marriott says the 2015 incident wasn’t related to the attack it made public Friday, cybersecurity specialists said a deeper dive into that 2015 incident may have uncovered the hackers, who were able to hang around in the reservation system for at least three years.

“With all the resources they have, they should have been able to isolate hackers back in 2015,” said Andrei Barysevich, a researcher with the security company Recorded Future, in the Wall Street Journal report. A spokeswoman for Marriott said everyone involved would have preferred the incident was identified earlier. “When there is a concern that payment cards are at risk, forensic investigations start looking at devices that process payment cards and follow the evidence from there.”

The hack disclosed last week is second only to Yahoo, which was hacked in 2013 and 2014, with data on 500 million and three billion users exposed. The hack could hurt Marriott’s reputation at a time when it’s fighting off the likes of Airbnb. Marriott said it’s still working through the cause and impact of the hack. It said it learned of it on Sept. 8 and notified customers and regulators shortly after determining on November 19 that hackers accessed information from the Starwood reservation database.  That means hackers may have gotten access to passports, travel details and, in some cases, credit card information on 327 million people.



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.