In 2018, Marriott experienced a massive breach that exposed details of 500 million guests over a four-year period. At the time, Marriott claimed that its data was secured by AES-128 encryption but now admits it was not.In an April hearing for a case involving customers who sued the hotel chain, Marriott acknowledged that its systems were not encrypted and instead used secure hash algorithm 1 (SHA-1), which doesn’t qualify as encryption. The judge in the case ordered Marriott to update its website with that information immediately.As CSO Online reports, Marriott did indeed make the change, but it did so on a web page created in 2019 and didn’t send customers any sort of alert. The notice reads:”Following an investigation with several leading data security experts, Marriott initially determined that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident that Marriott reported on November 30, 2018 were protected using Advanced Encryption Standard 128 encryption (AES-128). Marriott has now determined that the payment card numbers and some of the passport numbers in those tables were instead protected with a different cryptographic method known as Secure Hash Algorithm 1 (SHA-1).”It’s unclear how Marriott was able to misrepresent its security setup. As CSO Online notes, the company hired third-party security firms—including Accenture, Verizon, and CrowdStrike—to do an audit. Did they all miss the fact that Marriott systems were not encrypted? Lawyers for Marriott would like you to believe so. “It was only recently that Marriott had reason to question” the encryption claims, says Marriott attorney Lisa Ghannoum.Experts who spoke to CSO Online were skeptical. For instance, Marriott had to integrate its systems with Starwood Hotels & Resorts Worldwide when it acquired that chain in 2015, which would require knowledge about the “encryption scheme.”
Recommended by Our Editors
In 2020, Marriott suffered another breach that hit an additional 5.2 million guests.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
