Cybersecurity or information security is not the thing a lot of travellers think about. You’re about to leave on a well-deserved holiday, and the last thing you want is even more troubles to think of.
However, that is not the case anymore. And if you want to truly be safe on your travels, cybersecurity will be one thing you will have to worry about.
But why is that? In this article, let’s look at what happened at the Marriott hotel. And what does that mean for safe travels?
The Marriott hotel data-breaches
Marriott hotel is huge, and if you’re a frequent traveller, then chances are you stayed in one before. Also, there are chances that your personal data might end up in the hands of the Chinese government. Talk about data protection. But how and why did this happen?
Currently, the Marriott chain serves over 8,400 locations and has around 144,000 employees. It was established nearly a hundred years ago and right now is the largest hotel chain by the number of available rooms.
Also, Marriott hotel had to pay £18.4 million in fine for failing to comply with General Data Protection Regulations or GDPR in short. And this is where the travellers should pay attention.
The first data breach
In 2018, Marriott hotel disclosed that 500 million user data had been leaked. What makes things even worse is that it was not only guests visiting in 2018 or around that time. Apparently, the cyberattack happened in 2014, and it happened against the Starwood hotel branch, which was known for extremely weak security measurements.
Marriott hotel acquired the Starwood chain in 2016. But from the cybersecurity point of view, it’s not as easy as handing over the keys to the apartment. Different companies use different security systems. Data between the two of them has to be transferred securely. Cooperation between two cybersecurity teams - Starwood and Marriott - should’ve happened. But the reports show that Stardwood staff was laid off, which frequently occurs in such acquisitions.
Unknowingly to Marriott, they bought the Remote Access Trojan (RAT) as well. Imagine cybercriminals that had successfully infiltrated the system for two years and suddenly gained access to a way more extensive network with even more data, without having to do anything. Some call it a trip to Disneyland.
For two more years, the malware collected data and sent it to the attackers, until in 2018, Marriott noticed suspicious activities in the network and the investigation was launched. But it was too late. So, finally, let’s see what that means for the travellers?
The aftermath of a data-leak
Data-leaks must contain personal information; otherwise, they are useless, and nobody would even bother. This particular Marriott hotel data-leak exposed:
arrival and departure information;
loyalty programme numbers;
Credit card numbers in an encrypted form;
Decryption keys stored on the same server as credit card numbers.
These last two would alert any cybersecurity specialist of poor data security.
What’s the usual outcome of such leaks? Most often, data is used for marketing. Companies get tons of email addresses, phone numbers, which they start spamming with deals, discounts, and alike.
A more dangerous scenario is Phishing campaigns. Cybercriminals use the data to forge convincing letters or make compelling phone calls to lure out money. For example, you may receive an email from your bank stating you need to login and verify some information. If the email has no personal data, you’d question, “Is this for real?” But if it included your real name, your card details, and other personal information, you might be tempted to do as the email states.
What happens next is that you’re directed to a website that looks exactly like the bank that you use. While in reality, it’s a mirror page set-up by hackers to steal information. If you don’t use a password manager like NordPass, which autofills passwords for you, anything that you input there is sent to cybercriminals instead of your bank, and the next thing you know is that somebody withdrew a lot of cash from your savings.
In this particular case, the attack was traced to the Chinese hackers gathering data on US citizens, so no such campaigns occurred because the goal was not to make money but extract data.
But next time, it might be a cybercrime ring that has the intention of stealing money.
And this is the reason why you should worry about cybersecurity before travelling. It might not be your fault your data leaked, but you might become the victim.