Last week, the Marriott hotel group disclosed that it had been the victim of what’s shaping up to be the second biggest data breach of all time. Few details have been made public on who might be responsible for the theft of data from 500 million guest records, but Reuters reports that investigators believe espionage by China is involved.
According to Reuters, an independent investigative team that’s looking into the breach for Marriott found “hacking tools, techniques and procedures” that are associated with hacking groups working for Chinese intelligence. From the report:
That suggests that Chinese hackers may have been behind a campaign designed to collect information for use in Beijing’s espionage efforts and not for financial gain, two of the sources said.
While China has emerged as the lead suspect in the case, the sources cautioned it was possible somebody else was behind the hack because other parties had access to the same hacking tools, some of which have previously been posted online.
Part of the reason that intelligence gathering is believed to have been the hacker’s motive is that they were inside Marriott’s Starwood reservation system for so long. The system was first infiltrated in 2014, according to the company, and they waited until now to scoop up millions of names, passport numbers, addresses, phone numbers, birth dates, email addresses, and in some cases credit card information. Michael Sussmann, a former senior computer crimes specialist for the Department of Justice, told Reuters, “Patience is a virtue for spies, but not for criminals trying to steal credit card numbers.”
If intelligence operatives were biding their time to maximize their haul, they hit the jackpot. Marriott purchased the high-end hotelier Starwood in 2016 and integrated its booking system while inheriting its unknown cybersecurity problems.
But the sources told Reuters it’s also difficult to lay the blame directly at China’s feet because they suspect multiple hacking groups have been inside the Starwood system since 2014. Plus, attributing cyberattacks is notoriously difficult in general.
Questioned about the accusations at a news conference in Beijing, Chinese Foreign Ministry spokesman Geng Shuang said, “If the relevant side has any evidence, they can provide it to the Chinese side, and relevant authorities will investigate in accordance with the law.”
Another reason for suspicion of China is that the timing of the initial breach in 2014 was right around the time, according to U.S. intelligence, that the country’s operatives began poking around in the systems of the Office of Personnel Management. That incident eventually resulted in the attackers making off with sensitive data related to millions of the OPM’s employees. Theoretically, cross-referencing that kind of information with hotel and travel records could yield intelligence benefits.
When contacted by Gizmodo for comment, a spokesperson for Marriott told us, “Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests. We are not speculating about who had unauthorized access to our system.”
Earlier this year, Marriott took the extraordinary step of firing a social media manager simply for liking a tweet from someone who praised the company for recognizing Tibet “as a country, rather than part of China, in an online survey.” Marriott also issued an official apology. It’s safe to say, the hotel chain is in no hurry to start making hacking accusations against China.
This report also comes at a difficult time for U.S. and Chinese relations as both governments are in the midst of intense trade negotiations that have sent financial markets into chaos. On top of the Marriott news, it was reported on Thursday that Huawei’s CFO, Meng Wanzhou, was arrested in Canada on behalf of the U.S. for undisclosed charges and may be extradited to stand trial in New York. Huawei is the biggest private company in China’s centrally planned economy, and Meng is the daughter of the company’s founder. The case has already incensed Chinese authorities.