The Marriott Cyber Incident

Welcome to the CyberCure Bi-Weekly podcast transcript.

Listen to the cybercure podcast.

In this article we will focus on the latest cyber events for non-technical people; anyone can understand easily complicated things.

Recently we have covered some of the increasing cyber incidents related to the aviation industry, but there is another industry that is targeted constantly and should also get some attention: hotels and hotel chains.
Hacking into a hotel has many benefits, just like hacking into an Airport. There is constant, 24/7 flow of people paying and providing new personal details such as passports, addresses, and names.

Whether they are government affiliated attackers who want to keep track of people, or hacker groups looking for financial benefits, they all aim for hotels.

Some of them do it successfully. An unprecedented cyber-attack on Marriott was published lately. In 2016 as part of its expansion, Marriott acquired Starwood Hotels network.

Until late 2018 no one knew that attackers exploited Starwood Hotels’ reservation system and were able to retrieve many details about guests in the hotel chain. Marriott estimates  that more than 300 million records have been stolen since it began during 2014.

While most of the record details, such as passports and credit cards, were encrypted, it’s a possibility that attackers are able to break the encryption.

Marriott said that the vulnerable Starwood Hotels reservation system had not been in use for a long time, so many of the records were outdated and expired.

It’s a popular, but unverified opinion on the internet that China’s army is standing behind this attack.

However, the threat landscape against Starwood Hotels is much wider than that. Many commercial groups that use cyber-attacks for profit could have benefit from such attack.

Let’s look at the benefits attackers can gain from the data that was stolen.

Based on Marriott’s announcement, the attackers were able to retrieve a whopping 5.25 million unencrypted passport numbers as well as 20.3 million encrypted passport numbers.

For intelligence organizations, 5 Million passports is like heaven. It contains valid numbers and details about a huge variety of people, which means intelligence organizations can hide their identity by hiding behind real people and do much more.

But those aren’t the only benefits such state sponsored attacks can bring.

In theory if it was a country that came under sanctions, it might be a very good way to increase its income.

Marriott disclosed that the attack involved the data of 8.6 million encrypted credit cards, of which all but 354,000 were expired.

That means that since 2014 until the system stopped working in 2018 the attackers gathered 8.6 Million credit cards that could have been used.

That’s a lot of money there! The fact that today some of the credit cards expired doesn’t mean much, as it was active in the past and the attackers had access to it for 4 years.

Some of the listeners might be wondering, how are the attackers going to get money out of the credit cards, and how much?

Well, let’s do quick calculation together to estimate,

Let’s say the attackers successfully swiped only half of the credit cards that were stolen over time. That’s around 4 million valid credit cards over 4 years, or around 80,0000 credit cards per month.

Let’s say that the attackers, whoever they are, built an international charity organization for sick and poor kids. This organization charges each credit card for $2 once.

So out of 80,000 credit cards that were processed, only half worked and the owner did not request to cancel the $2 charge that was made automatically and written on the credit card statement as donation for poor kids. That’s a profit of around $80,000 per month with a passive money generating system. and remember that we estimated a credit card charged only once, but what if they charged each credit card 5 times for 5$ ? thats a passive revenue of 400,000$ per month!

If this attack was done to gain financial benefit, the attackers could have made at least $4 million dollars over that period of time, easily.

That’s just from a single attack carried out years ago! And this is a conservative estimate.

Did executing the attack cost more than several millions? Probably not.

Are they here now ?

So, whoever did that, wherever they are, you can be certain that they are happy about their accomplishment sipping some good western scotch working on a western computer and speaking basic english… Have a guess ?

That’s it for this time. Stay safe and see you at the next time.

Don’t forget to visit for the latest podcasts and cyber intelligence.