A couple of weeks ago Marriott revealed a massive data breach affecting 500 million records. They didn’t tell us very much about what happened, other than that in some cases even passport numbers were revealed and that the data that was hacked came from legacy Starwood reservations since 2014.
- The numbers didn’t really make sense — how on earth do they get to 500 million records?
- They emphasized that it was the Starwood database as though it wasn’t their fault, even though the hack had been ongoing for a couple of years after the merger while Marriott was managing the system (indeed, most of the Starwood IT folks were long gone, merger victims).
- They also seem to have pushed the idea that China could be at fault, though there’s little evidence for this. Tools used in previous government hacks are available elsewhere, and there’s not even an indication that it was just a single hack.
There have been some head fakes towards taking responsibility, like promising to pay for new passports for those people whose identities are already compromised. Too little, too late, for those people and also something very low cost to Marriott. The truth is you’re on your own to protect yourself, so here’s what you should do.
Now a former Starwood Senior Vice President of Technology is speaking out with inside knowledge to shed some light on what would have happened here. The breach almost necessarily had to have occurred in the data warehouse to reach the levels of exposed data Marriott reports, and unsurprisingly he thinks Marriott has a lot more responsibility here than the way they’ve portrayed things publicly.
Here’s why he says it has to be the data warehouse which was being managed straight away by Marriott since the merger:
It is known that soon after Marriott took control of Starwood, they began to migrate the Starwood Data Warehouse to Marriott. From a purely business perspective this makes sense, since one of the most valuable and rapidly actionable Starwood assets would have been its historical booking records.
…Marriott seems to suggest the breach was made in the reservation system.
However, it is unlikely this system would have had 500 million records, given the practice to remove booking records a number of days after checkout.
Even assuming half a million rooms in Starwood’s inventory at 90% occupancy, with average lengths of stay of two days, and up to two years of advance booking, such a database would not exceed 200 million records.
As for the SPG database, it would contain one record from each SPG member, but not even under the most optimistic scenarios would Starwood have had 500 million registered SPG guests.
..However, given that some of that data had already been migrated to Marriott, it is hard to say for certain whether the breach occurred in the Starwood system, the Marriott system, or in transit as a result of exposure during the Extract‐Transform‐Load process used during the migration.
He offers reasons to be skeptical that the breach took place in 2014, rather than there were records in the data warehouse which could have been taken that dated to 2014.
Regardless of what did or didn’t happen, and whom to blame, we’re clearly not getting the full story from Marriott. And since it’s our very sensitive personal information they failed to safeguard, we should be demanding it.