It’s easy to focus on the big number associated with the Starwood breach announced by Marriott International on Friday — 500 million accounts compromised. But I’m focused on a much smaller number: four. As in, hackers had access to Starwood networks for four years. In the world of “advanced persistent threats,” this sounds like some kind of record to me.
Four years is a long time for criminals to take up residence on a network. It’s a very long time to hide their tracks. Their method for doing so seems ingenious. The criminals encrypted data they wanted to steal before exfiltrating it from the network. Why? It might have been done to evade security software that rings alarm bells when it spots data being moved suspiciously around a network.
I’m also focused on the type of data stolen. Once upon a time, “compromised credit card accounts” got all the headlines. But as Uber’s Melanie Ensign said recently on a panel I moderated, when a new hack is announced, “I hope it’s credit cards.” That’s easy to deal with. The Starwood incident involves, in some cases, passport numbers. That kind of information would be awfully interesting to someone who wanted to keep track of important peoples’ movements around the globe.
Who did it and why? That’s no academic question. Whenever an incident like this occurs, the obvious question is: What should I do about this? How can I protect myself? Until we know who did this and why, it’s hard to give advice on how to protect yourself. Marriott hasn’t said anything about “who” and “why,” so we are left to speculate.
This is no ordinary credit card data heist. If the criminals were using card accounts stolen in this incident, banks would have figured out where the stolen cards had come from long ago. I doubt it’s an identity theft ring. There’s no way some kind of casual prankster or amateur would have kept up this effort for four years. Something more serious is going on here. These are professionals. This is pure speculation on my part, but it sounds more like the work of a nation-state or some other large entity with big plans.
I can’t help but be influenced by my reporting on the Yahoo hack of 2014-2016 — which this hack is now being compared to — or the attack on the Office of Personnel Management hack in 2015. In the Yahoo case, we know Russians working for the FSB intelligence agency spent two full years accessing millions of user emails. In the OPM case, Chinese hackers accessed millions of government worker records, including background reports and fingerprints. The goal of those hacks seems to have been massive intelligence gathering, and in some cases, creation of dossiers on targeted individuals.
Imagine if an intelligence-gathering operation could marry data from hacks like Yahoo or OPM with the Starwood data. With passport information, it seems obvious the data could be used to create a travel map of targeted individuals.
I repeat, this is speculation. But if you are a person who wants to know what to do to react to this crime, I think it would be smart to assume the Starwood attack involves a sophisticated agency with such big plans. So start there.
What should I do about the possibility that a nation-state has a dossier on me?
In reality, not much. I think that’s life today. I spoke to an analyst on Friday who put it this way: We’ll probably wake up in a few years and realize that the global cyber war began years before we realized; and America was “0wned.”
What’s should I do about stolen passport numbers?
Passport numbers, along with other personal information, could be theoretically used to make fraudulent passports. That’s non-trivial — much harder than making a cloned credit card, and riskier to use — but it does happen. Still, theft of physical passports is a much greater risk. There isn’t much you can do about stolen passport numbers, other than the very extreme step of replacing your passport. Given the risk level, that’s not worth it.
What’s the risk from the credit card numbers that might have been stolen in this incident?
The usual. Check your bills carefully and look for fraud, then report it. Fortunately, that’s easy to recover from. And in general, if your account numbers were stolen back in 2014, I’m sure they would have been used for fraud by now.
I was not a Starwood Preferred Guest member. Should I care?
Probably. If you stayed at a Starwood hotel in the past four years, you’re probably impacted. The list of hotel brands is long: Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Meridien, Tribute, Design Hotels, Elements and the Luxury Collection.
Should I accept Marriott’s offer of dark web monitoring?
Why not? The service will theoretically alert you if your personal information is being sold or shared online. It’s better than nothing, though a year of dark web monitoring is cold comfort after a four-year-long hack. Surely, criminals who have your data will be smart enough to wait until another year has passed before they use it. These criminals are also probably smart enough not to trade your information on the dark web. But still, free is free. U.S. residents, click here to sign up.
What else can I do?
The usual. Change your Starwood password, if it still exists or is in use after the Marriott acquisition of Starwood and the integration of the Starwood Preferred Guest program into Marriott Rewards earlier this year. Recall all the *other* places you used your Starwood password (bad you!) and change those passwords too. Check your credit report periodically. Put a credit freeze on your report (it’s free now!). And be alert for any strange activity in your digital life.
Also, critically, don’t overreact. While this Starwood story is dramatic, it probably doesn’t increase your risk of being an identity theft victim all that much (odds are about 1 in 20 annually, depending on how you count). It’s mainly another reminder of how fragile our digital lives are.