Data Of Some 500 Million Marriott Customers Stolen In Breach
AUDIE CORNISH, HOST:
Marriott said today that as many as 500 million hotel guests have had their data stolen. We're talking about people who made reservations at a Starwood property since 2014. What makes this data breach stand out is the sensitive personal data that was scooped up from passport numbers to lengths of stays. Now several state attorneys general, including Illinois and New York, are investigating. NPR's Alina Selyukh has more.
ALINA SELYUKH, BYLINE: Outside of the upscale St. Regis Hotel in downtown Washington, the day seemed to be business as usual.
(SOUNDBITE OF WHISTLE BLOWING)
SELYUKH: But for the parent company of St. Regis, this was far from a regular day. Marriott International says its Starwood hotel reservation system was compromised by hackers for at least four years. The breach affects hotels such as Sheraton, Westin, W, Aloft and St. Regis.
MATT TAIT: This particular breach is enormous.
SELYUKH: Matt Tait is a senior cybersecurity fellow at the University of Texas at Austin. He points out the sheer breadth of data compromised in this breach. Marriott says for 327 million customers the stolen data might include names, email and mailing addresses, dates of birth, but also passport information and in some cases credit card numbers along with expiration dates. Those details were encrypted, but Marriott says it cannot rule out the possibility that the hackers also stole the keys to decrypt them.
TAIT: A lot of people - they're going to be very confused why Marriott stored this sort of volume of data.
SELYUKH: Tait says he is actually a rewards member with Marriott himself. And he was surprised to find out that the hotel chain was storing sensitive details such as passport numbers. And this is why to him this hack is a big deal, not just because of the number of people affected but the quality of the stolen data.
TAIT: This is going to make it very easy for these hackers who have taken this information to potentially commit identity fraud.
SELYUKH: And yet at both the St. Regis and Westin in downtown D.C., most hotel guests were unsurprised by the news and even resigned.
ANDRIA MCCLELLAN: It's our new reality. And it's unfortunate. And it's - you know, we know what to do.
JIM MULLIGAN: If you're accessing the Internet, your expectations for security are pretty low at this point.
LANCE HOLMAN: I think that's just the new normal.
SELYUKH: That doesn't change your attitude toward the company?
HOLMAN: No, it doesn't really.
SELYUKH: That's Andria McClellan from Virginia, Jim Mulligan from Chicago and Lance Holman from California. All the guests I interviewed said they will now pay extra attention to their credit card charges and change passwords. But they said they would keep staying at Marriott hotels.
HOLMAN: They own everything. You can't get away from them.
MULLIGAN: I'm married to them at this point. Yeah (laughter).
SELYUKH: But to cybersecurity and intelligence experts, there's far more at stake with this scale of breach.
MICHAEL DALY: We need people to understand that there is a bigger picture.
SELYUKH: Michael Daly is chief technology officer for cybersecurity at the defense company Raytheon.
DALY: Sort of like the boiling-the-frog problem, every time we have a breach and the numbers get larger and larger, then the world doesn't collapse, we all move the bar a little higher and say, well, I guess that wasn't as bad.
SELYUKH: But he says this isn't a matter of one person's travel schedule, money or even identity. He's worried about the value of all this information for spies, foreign adversaries. Think travel patterns of politicians, potential major business meetings. All that in one massive data breach on top of all the other breaches - he says that is a matter of national security. Alina Selyukh, NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.