Hotel Data Breach

If you were one of the 500 million users affected by the December 2018 Marriott/Starwoods password breach, your credentials were exposed, your personal details were collected as was, possibly, your credit card information on file.

The breach happened in a corporate customer database. While credential exposure is nothing new on the corporate side, the sheer scale of this massive breach has a number of obvious, and a few not so obvious, implications to the 500 million affected customers. Chances are, if you travel and stay at a hotel, this breach affects you.

There are a number of striking things about this breach.

  1. The sheer size of the breach — 500 million records
  2. The attack might have happened as far back as 2014
  3. Passport numbers, when stored with a users’ profile, were also compromised
  4. It is believed to be a state-sponsored attack because the user IDs and passwords have not shown up for sale…yet!

Let’s concentrate solely on the password breach aspects.

For the 500 million customers who have forever been compromised by the breach, the overall outlook is worse. Statistically:

  • 250 million of the compromised users of this breach will have used that same comprised password on multiple websites.
  • Of those 250 million users, 175 million won’t change that breached password even a year later.
  • Further 100 million users will still be using that same compromised password a full 3 years later.

These stats are incredibly disturbing

Individual users can’t do anything proactively about the corporate protection(s) related to the protection of their credentials in an IdP. In this case, most of the information that Marriott/Starwood collected was necessary for them to do business and you couldn’t have stayed on any property without providing that information. However, there are corporate and consumer controls that could help both reduce the risk of the corporate identity database being hacked and your consumer credentials from being leveraged in the future.

We don’t know how the hacker accessed the database, but we can safely assume the hacker did so through an administrative account. That admin account may have been brute force attacked — if so, even a complex password would eventually be cracked. Perhaps a password policy to change the passwords of the admin accounts every so often. However, few companies actually enforce that on service accounts with administrative access. Password policies are important, but even the most complex password is vulnerable once the credential store is hacked.

That’s why two factor, or multifactor authentication (MFA) is urgently needed. It requires an additional proof factor before allowing access. Even if 100% of the credentials are exposed, a second factor can be invoked before allowing access to resources/applications. This breach illustrates the necessity of an additional factor, or more, for at least administrative access to essential customer data.

Are You A Person of Interest?

The breach is believed to be state-sponsored. The state sponsored hackers are the same ones believed to be involved in other alarmingly large breaches such as the Anthem breach and the Office of Personnel Management. These records aren’t currently for sale on the dark web. Why? Because the data is likely being used to seed a data warehouse of identity details for large scale nefarious data mining.

Unfriendly nation-states can use the incredibly detailed identity analytics from these breaches to profile you. And, if you are a person of interest, don’t think that they can’t use this information to compromise you.

For some 327 million of the guests the breach contains detailed information which includes some combination of a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

What can you expect? What can you do?

  1. Immediately change your Starwood/Marriott password to a unique, complex password not used anywhere else
  2. If you reused the breached password on any other site, immediately change it to a unique, complex password you haven’t used (and won’t use) anywhere else
  3. When possible, choose two factor, or multifactor authentication to goods/services/applications and resources that provide that option. It will reduce the chance of impersonation.
  4. Leverage a reputable password vault as a store for your unique, complex passwords
  5. Expect new and better (more detailed) phishing attacks from the breached PII details extracted from the database
  6. Expect nation-states to potentially use this information as leverage if you are a person of interest to them

Your corporate data is at risk, your customer PII data is at risk, your administrative credentials are at risk. Passwords alone are not enough.

Multifactor authentication (MFA) is one of the best methods to protect against online phishing, fraud, impersonation, man-in-the-middle attacks and more.

To have some semblance of a proper security posture, you must assume you are already breached. You should feel some urgency to aggressively defend your user base. MFA doesn’t have to be difficult to implement.

Optimal IdM has a robust MFA offering that has been named “Best Multifactor Authentication Solution” in the 2017 Government Security News (GSN) Homeland Security Awards (HSA) Program under the Cyber Security Products and Solutions category. Contact us at for more information.

Contact Optimal IdM Today

Optimal IdM offers on-premises, hybrid and dedicated, single tenant cloud solutions. We can have most customers up and running within a few days — sometimes in just a few hours. Optimal IdM supports encryption both in transit and at rest. We provide a full identity solution with concierge services — no federation expertise or specialized skills needed by you. We’ll bring our expertise to your identity issues and help future proof your investment.

For more details, contact us to talk through your project at


  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.

Pin It on Pinterest