From WIRED Nov 30 2018
QUOTES:
"Some credit card numbers were also stolen as part of the breach, Marriott says, but the company did not provide an initial estimate of how many were taken. The credit card numbers were encrypted with the algorithm AES-128—a reasonably robust choice—but Marriott says the attackers may have also compromised the decryption keys needed to unlock the data.
All in all, it's not a great situation.......
....Breach response experts told WIRED on Friday that the sheer amount of time the attackers had inside the system—four years in all—likely made the breach much worse than it otherwise might have been. Time gives attackers the ability to chip away at defenses, or simply learn more about a system to understand where the valuable data is. Even with encrypted data, like the credit card numbers in this case, an attacker with enough access could steal the decryption keys, or swipe sensitive data before it ever has a chance to be encrypted in the first place. Either scenario seems possible, given the details Marriott has released so far.
.....Marriott says its own digital systems were not affected, only the Starwood side. Some penetration testers and network breach responders speculated to WIRED on Friday that Marriott's acquisition of Starwood may have played a role in delaying detection if the companies were distracted by the larger topic of brokering the deal.
"It's not clear whether the attacker already had access through Starwood before the merger, or whether Marriott had a copy of the database for evaluation purposes and due diligence and lost control of it there," says Jake Williams, founder of the penetration testing and incident response firm Rendition Infosec. "I can't believe that the merger wasn't a contributing factor in the breach."
Full article
https://www.wired.com/story/marriott...tect-yourself/