In what is one of the biggest security breaches in American history, the hotel chain Marriott recently revealed that the sensitive information of about 500 million customers was hacked during a 4-year period between 2014 and 2018. Media reports suggest that the Chinese government was behind the hack, which possibly forms part of a larger intelligence-gathering operation.
Out of 500 million accounts that got hacked, 327 million accounts have been classified as having suffered from a severe theft of information. This includes details like passport number, date of birth, reservation date, Starwood Preferred Guest (SPG) account information, phone number, communication preferences, arrival and departure, and other basic info like name, physical address, and email ID.
Details of payment card numbers and expiration dates of some guests were also hacked. The payment card numbers were encrypted using AES-128 standard. According to the company, two pieces of information are required to break the encryption and it is possible that the hackers have access to them. As far as the remaining guests are concerned, only basic information was stolen.
“We deeply regret this incident happened… We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward… We will also continue to support the efforts of law enforcement and to work with leading security experts to improve,” Arne Sorenson, Marriott’s President and Chief Executive Officer, said in a statement (Marriott).
The hackers have been discovered to be operating from China and “are suspected of working on behalf of the Ministry of State Security, the country’s Communist-controlled civilian spy agency,” according to The New York Times. U.S. officials are said to be on high alert following the discovery since Marriott is a top hospitality provider for American military and government personnel. As such, information about key people within the United States’ power structure might have been compromised during the breach.
“I see a very intelligent multi-year pattern of behavior to cross correlate data points to build a profile of every American citizen… The Chinese government wants to know everything it can about U.S. citizens,” Gary Miliefsky, cybersecurity expert and publisher of Cyber Defense Magazine, said to The Epoch Times.
China’s history of stealing U.S. citizen data goes way back. In 2014, Chinese hackers are said to have stolen personal info from the U.S. Office of Personnel Management. Later on, health records of 80 million people were hacked from the health insurance company Anthem Inc.
With access to personal data of American citizens, Beijing can leverage it against U.S. interests. For instance, the Chinese government can identify weak points in certain American citizens, say a U.S. embassy diplomat, and force them to do the Communist Party’s bidding. The Chinese government might also integrate the large amounts of U.S. citizen data into next-generation military warfare, putting America at a disadvantage.
Meanwhile, the Trump administration is said to be working on new cybersecurity policies to counter the Chinese threat. For one, the U.S. government wants to indict Chinese hackers who work for the military or intelligence services. Chinese companies might also face severe restrictions in obtaining important components for their telecommunication infrastructure. The government may also declassify intelligence reports that reveal Chinese attempts to steal data of U.S. citizens.