In the relatively short history of data breaches, most have followed a similar pattern. Generally, some bad actor gains access to classified data, and then leaks names, phone numbers, birthdates, and other semi-private pieces of information. While breaches like this can certainly have a negative impact on a business, the consequences aren’t as severe for the consumer when only semi-private information leaks. After all, bad actors can only do so much with a name and corresponding phone number. However, the consequences become much more serious when private data is lost. If information like credit card numbers, passwords, and social security numbers are leaked, it can have devastating financial consequences for those affected. Unfortunately, that is exactly what occurred in the case of the Marriott data breach in 2018.
In honor of Cybersecurity Awareness Month, AXEL is writing about some of the worst leaks, data breaches, and ransomware attacks in history. Follow along all October long to learn about what went wrong, what could’ve been done, and how companies responded to devastating data breaches.
In November 2015, Marriott made a massive purchase, announcing its bid to buy Starwood Hotels and Resorts. Following a bidding war, Marriott eventually acquired the hotel chain for USD $13.6 billion . Hotels previously under the Starwood brand include Westin, Sheraton, and other luxury hotels popular with business travelers. This merger ultimately made Marriott the world’s largest hotel chain, with over 5,700 properties worldwide following the acquisition . Unfortunately, Marriott’s acquisition of Starwood did not only include Starwood’s hotel properties, but its outdated cybersecurity infrastructure as well.
In 2014, a bad actor gained access to Starwood’s network and began to extract customer data from the company’s reservation system. Starwood’s network was already seen as particularly susceptible in 2014, and cybercriminals seized on that opportunity . However, this attack went unnoticed for years, even as Starwood was being acquired by Marriott. In fact, most of Starwood’s information technology and security staff were laid off following the merger . Ultimately, this created the perfect storm for the hackers; an outdated, compromised reservation system with little security to watch over them. Even after the merger, Marriott still used Starwood’s reservation system for its former properties, continuing to put customer data at risk. And in 2018, that risk became realized.
In September 2018, Marriott’s cybersecurity team found a suspicious attempt to gain access to Starwood’s guest reservation database. After investigating, Marriott found that bad actors had gained access, encrypted the guest reservation data, and extracted that data over four years . Ultimately, Marriott estimated that 500 million guest records had been leaked. Even worse, the records contained highly personal information, including credit card numbers and passport numbers.
Worst of all, however, the breach was entirely preventable. While Starwood did encrypt credit card numbers on its server, it kept the encryption keys on the same server, making it painfully easy for the cybercriminals to extract the data . Additionally, the majority of passport numbers were not encrypted at all. Combined with Starwood and Marriott failing to recognize or change its poor cybersecurity, this was a cyberattack that simply would not have happened if not for the negligence of the companies involved.
Eventually, investigators determined that the perpetrators of the cyberattack were Chinese state actors . While most cyberattacks are committed by criminals who wish to sell the leaked data and make a quick buck, this attack had a very different purpose. Investigators hypothesize that China wished to track the movement and gain information on American businesspeople, military personnel, and diplomats. Ultimately, Chinese officials wished to gain this information to find potential candidates to approach to become spies for China . This made the leaked passport numbers, a rarity in most data breaches, particularly valuable for the perpetrators of the cyberattack.
Lessons From the Attack
Following the breach, Marriott faced criticism from individuals and governments alike. While class action lawsuits originated in the United States mostly failed to gain traction in court, Marriott faced a myriad of fines overseas. In fact, Marriott was fined GBP £18.4 million, or approximately USD $25 million, for violating the General Data Protection Regulation, the EU’s overarching privacy law . However, many of the expenses related to the attack were covered by Marriott’s cybersecurity insurance, a growing industry due to the sheer prevalence of cyberattacks in modern times .
While cybersecurity insurance incurred many of the costs, irreparable harm was done to Marriott’s image due to its mistakes. First and foremost, the company’s decision to continue using an outdated, vulnerable reservation system even after the merger proved to be catastrophic. While business mergers are undoubtedly a time of great turmoil, the negligence of Marriott’s cybersecurity is unforgivable, as it put millions at risk. Additionally, Marriott’s poor encryption made the data easy to find and extract. While some businesses are simply unlucky when it comes to cyberattacks, Marriott did not suffer because of bad luck, but its own negligence.
Protect Your Data with AXEL Go
Using a secure file storage system is the key to protecting your data from breaches and ransomware attacks. That’s where AXEL Go comes in. Offering military-grade encryption and decentralized blockchain technology, AXEL Go is the best way to protect yourself and your business from unauthorized cybercriminals. With devastating cyberattacks not going away any time soon, secure file-sharing is a necessity for businesses and individuals. If you’re ready to get the best protection, try two free weeks of AXEL Go here.
 Smith, Aaron. “Marriott Starwood Merger Creates World’s Biggest Hotel Company.” CNNMoney. November 16, 2015. https://money.cnn.com/2015/11/16/investing/marriott-starwood-hotel/index.html.
 “Meet the Biggest Hotel Chains in the World.” Hospitality News & Business Insights by EHL. https://hospitalityinsights.ehl.edu/biggest-hotel-chains.
 Fruhlinger, Josh. “Marriott Data Breach FAQ: How Did It Happen and What Was the Impact?” CSO Online. February 12, 2020. https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html.
 Nakashima, Ellen, and Craig Timberg. “U.S. Investigators Point to China in Marriott Hack Affecting 500 Million Guests.” The Washington Post. December 12, 2018. https://www.washingtonpost.com/technology/2018/12/12/us-investigators-point-china-marriott-hack-affecting-million-travelers/.
 “ICO Fines Marriott International Inc £18.4million for failing to Keep Customers’ Personal Data Secure.” ICO. October 30, 2020. https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/10/ico-fines-marriott-international-inc-184million-for-failing-to-keep-customers-personal-data-secure/.