Marriott International, which announced last week it was the victim of a hack in which the bad guys accessed its reservation database for Starwood properties, could have stopped the breach years earlier.
According to a report in the Wall Street Journal citing cyber security specialists, the breach in which the personal information of as many as 500 million customers was exposed began in 2014, going undetected until September of 2018. In 2015, the Wall Street Journal reported Marriott had a smaller breach in which malware was installed on point of sale systems in hotel restaurants and gift shops. That was announced four days after Marriott announced it was buying Starwood Hotels & Resorts, noted the paper. While Marriott says the 2015 incident wasn’t related to the attack it made public Friday, cybersecurity specialists said a deeper dive into that 2015 incident may have uncovered the hackers, who were able to hang around in the reservation system for at least three years.
“With all the resources they have, they should have been able to isolate hackers back in 2015,” said Andrei Barysevich, a researcher with the security company Recorded Future, in the Wall Street Journal report. A spokeswoman for Marriott said everyone involved would have preferred the incident was identified earlier. “When there is a concern that payment cards are at risk, forensic investigations start looking at devices that process payment cards and follow the evidence from there.”
The hack disclosed last week is second only to Yahoo, which was hacked in 2013 and 2014, with data on 500 million and three billion users exposed. The hack could hurt Marriott’s reputation at a time when it’s fighting off the likes of Airbnb. Marriott said it’s still working through the cause and impact of the hack. It said it learned of it on Sept. 8 and notified customers and regulators shortly after determining on November 19 that hackers accessed information from the Starwood reservation database. That means hackers may have gotten access to passports, travel details and, in some cases, credit card information on 327 million people.