Hotel Data Breach

If you were one of the 500 million users affected by the December 2018 Marriott/Starwoods password breach, your credentials were exposed, your personal details were collected as was, possibly, your credit card information on file.

The breach happened in a corporate customer database. While credential exposure is nothing new on the corporate side, the sheer scale of this massive breach has a number of obvious, and a few not so obvious, implications to the 500 million affected customers. Chances are, if you travel and stay at a hotel, this breach affects you.

There are a number of striking things about this breach.

  1. The sheer size of the breach — 500 million records
  2. The attack might have happened as far back as 2014
  3. Passport numbers, when stored with a users’ profile, were also compromised
  4. It is believed to be a state-sponsored attack because the user IDs and passwords have not shown up for sale…yet!

Let’s concentrate solely on the password breach aspects.

For the 500 million customers who have forever been compromised by the breach, the overall outlook is worse. Statistically:

  • 250 million of the compromised users of this breach will have used that same comprised password on multiple websites.
  • Of those 250 million users, 175 million won’t change that breached password even a year later.
  • Further 100 million users will still be using that same compromised password a full 3 years later.

These stats are incredibly disturbing.

Individual users can’t do anything proactively about the corporate protection(s) related to the protection of their credentials in an IdP. In this case, most of the information that Marriott/Starwood collected was necessary for them to do business and you couldn’t have stayed on any property without providing that information. However, there are corporate and consumer controls that could help both reduce the risk of the corporate identity database being hacked and your consumer credentials from being leveraged in the future.

We don’t know how the hacker accessed the database, but we can safely assume the hacker did so through an administrative account. That admin account may have been brute force attacked — if so, even a complex password would eventually be cracked. Perhaps a password policy to change the passwords of the admin accounts every so often. However, few companies actually enforce that on service accounts with administrative access. Password policies are important, but even the most complex password is vulnerable once the credential store is hacked.

That’s why two factor, or multifactor authentication (MFA) is urgently needed. It requires an additional proof factor before allowing access. Even if 100% of the credentials are exposed, a second factor can be invoked before allowing access to resources/applications. This breach illustrates the necessity of an additional factor, or more, for at least administrative access to essential customer data.

Optimal IdM has a robust MFA offering that has been named “Best Multifactor Authentication Solution” in the 2017 Government Security News (GSN) Homeland Security Awards (HSA) Program under the Cyber Security Products and Solutions category. Contact us at sales@optimalidm.com for more information.

This is Part I of a 2 Part Blog…click here for Part II



  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.