Marriot Starwood Hotel Hack, Lack Of Security Put In Context — What internet security Isn’t Reporting

Posted on December 1, 2018Categories data breach, hotel hack, information security, internet security, marriot breach, starwood hotels, technology, website hack

Sit back and travel back in time. Our founder was at a Marriott Starwood hotel at a hacker convention called Layerone competing in a capture the flag, also known as a CTF. A CTF is a way for security researchers and hackers to test their security skills and solve, essentially puzzles where you have to find security weaknesses to win.

In a series of incorrect instructions provided by the CTF accidentally specified the Starwood Hotel website as a valid CTF target to hack. Alright, well, this isn’t a normal target, but I’ll start poking around. It took minutes to find out the site was highly insecure, to the point that the capture the flag security puzzles were far harder, than it is to hack Starwood Marriott Hotels.

The CTF hosts said if our founder hacked the hotel website, we would win the CTF. It was all too easy to hack starwood hotels, however due to our level of decency, ethical code of conduct, and always doing everything legally, we didn’t go as far as the hack that started in 2014 that was just discovered and is currently being reported. Instead, we simply ran some of our own code on their site that did not impact the safety or security of customer data and contacted their head leadership with the exploit.

Starwood patched the exploit and the world went on. Now everyone is just discovering how soft of a target Starwood hotels truly was and may still be. 500 million users potentially compromised that had been ongoing since 2014 is a bit hard to believe for some, but then again few have poked at starwood security. This news doesn’t surprise me one bit and it honestly shouldn’t surprise you.

How do you keep anonymity while staying at hotels if and when you want it?
Since 500 million accounts were exposed, some anonymous identities will be partially compromised as well. How can you have an anonymous identity at a hotel? That is an interesting question, and it turns out it is very simple. There are some people I’ve known for years and I still do not know their real names. They get credit cards with their secret identities and introduce themselves as their secret identity.

Why would you go to such lengths? Because, internet security research wasn’t always looked upon as friendly as it is now, and we still have plenty of problems that need to be overcome, but that isn’t the focus of this article. Those with credit cards who have fake names, have it easier than those who didn’t have fake names. They simply have to change their name and get new credit cards. Your information tied to your real name is now available for, potentially the entire world to see. We do not know the extent of the breach yet, but it may know your interests, like what you buy at hotels, etc.

One thing that is nice about Starwood Marriott Hotels is that it is it’s own world within a world. You walk through the automatic opening doors and there is a robot who delivers room service. No, I am not kidding. You then turn the corner to see one of the stores inside their miniature world that has food, if Chocolate and other snacks count. They have clothes, so if you forget your swimsuit you can just go buy one. You can walk over to the bar and grill and still be inside the hotel.

Do you see how great this is from a convenience standpoint both for the people who stay there and for those who stole all your data? They may, which we do not know yet but they may know what you buy at the store, what you order from the room service robot, and what type of foods you eat. They may also have your credit cards, and duration of visit. Also, if you used a special promo code for a block of rooms, which are bought for conferences, that is also exposed.

So, a lot of people will say why does any of this matter? So what if they know I like Godiva Chocolate? At face value it doesn’t look like a problem, but for others this is a huge compromise. Everyone can now selectively target you, knowing what foods you will react to and what you like to eat, so if we are going to go a bit 007, they could potentially poison food you order.

For the majority of people, none of these scenarios are a problem. Most of us already share that data online, but for a minority, these type of breaches could cause grave problems for them, especially for spies. Say what you want about spies, they’re still a minority that have had their cover blown. Now the probability of a spy staying at a starwood is surprisingly higher than you think, based on how many Starwood hotels exist. However, their identities could be compromised even if they didn’t stay at a Starwood hotel or property, if they stayed at any Marriot and had their data merged when Starwood was bought out, they’ve been exposed.

Do you see the severity of this internet security breach? You do? Great, then you don’t need to keep reading, but if you don’t, then let’s look at it from this viewpoint 500 million credit cards have been leaked affecting 500 million bank accounts, which if they are all still valid and used, could cause a major problem for banks. You hate banks, so you don’t see how this affects you? Fine, we can see that viewpoint, but if the banks have a problem, say too much credit card fraud, then it is going to cost them money and potentially impact the economy.

If none of this has you concerned, we will give it another try. Were you having an affair? Does your significant other not know and you weren’t exposed in the Ashley Madison data breach? You thought it would be smart to buy a hotel room, so you wouldn’t be caught, right? Well, now your significant other will find out and your relationship is at where it should be, from my honest perspective. You don’t deserve a significant other you cheat on. Or let’s say you’re part of the LGBT community and you got a room for two and both names are shown. It is going to rise suspicions if you are married and being your true self on the side. Maybe in this case, this will improve your life in the long run and you can become the true you. Let’s hope you aren’t from a country where being gay puts you in jail or you are killed.

One last example for the road, let’s say you don’t want your employer to know you attend a certain type of conference and that data has been exposed. Let’s say they may find out you were at a convention at the hotel that was focused on hiring people. They may suspect you were trying to get a new job, which while legal some companies don’t look kindly on that.

Now that every potential example we can think of on how the Starwood Marriott Hotels could impact you has been explained, we hope you realize there is a problem.

Now what do you do to protect yourself from the Starwood Marriot Breach?

While the default reaction is to say change your password, the announcement from Starwood didn’t make it clear if the hackers still had control of the system or not, so change your password with one you’ve never used before. You’re always supposed to do that. If you reused the password associated to your Starwood marriott account on another site, change that password now.

Contact your bank and let them know that you were impacted by the Starwood Marriott hotel data breach and to keep a closer eye on your transactions, so fraud alert is at a higher level. Also, if you care about privacy and don’t want your birthday known, change it on every website.

If this helps you, let us know, if not we would like to thank you for reading. We will be writing about SEO tomorrow!