US Investigators Point to China in Marriott Hack Affecting 500 Million Guests

United States investigators now believe that a 2018 Marriott cyberattack, which exposed the personal data of 500 million guests, was conceived and carried out by hackers working for the Chinese government. Sources familiar with the investigation say that the Marriott breach was just the latest in an ongoing intelligence-gathering effort by the Chinese government, dating back to the 2014 hack of the Office of Personnel Management and the 2015 data breach of health insurer Anthem.

American intelligence agencies and cybersecurity firms were able to identify patterns in the hackers’ code that aligned with those found in previous Chinese cyberattacks. In addition, the attack involved both a unique style of server-hopping and a cloud-hosting service known to be employed by Chinese operatives.

Investigators had further reason to believe that the hack was government-led when they discovered that none of the breached data had appeared for sale on the dark web. Typically, hackers sell the personal data they’ve stolen to individuals on the dark web, who use the information to commit identity theft. Since Marriott’s stolen information wasn’t put up for sale, experts believe the attack was part of a greater effort by the Chinese government to track the whereabouts of American citizens.

“This data is all going back to a data lake that can be used for counterintelligence,” said Dmitri Alperovitch, chief technology officer at CrowdStrike. “[It can be used for] recruiting new assets, anticorruption campaigns or future targeting of individuals or organizations.” Stolen data from the Marriott breach included credit card information, as well as passport data and itinerary information, which could be used to track the movements of government officials, spies and businesspeople worldwide.

Since news of the data breach broke in November 2018, Chinese officials have denied allegations that claim they were behind the hack. “China firmly opposes all forms of cyberattack and cracks down on it in accordance with the law,” says Geng Shuang of China’s Ministry of Foreign Affairs. “If offered evidence, the relevant Chinese departments will carry out investigations according to the law.”

China isn’t alone in using data security weaknesses in hotels and other private companies to extract sensitive information. “This is what any nation-state intelligence agency would do,” Alperovitch said. “No nation-state is going to handcuff themselves and say, ‘You can’t do this,’ because they all engage in similar detection.” Echoing Alperovitch’s statement, when asked about the incident, former director of national intelligence James R. Clapper told Congress, “if we had the opportunity to do the same thing, we’d probably do it.”

With these technological and geopolitical circumstances in mind, it’s clear that securing personal details to the best of one’s ability is an essential modern precaution. To keep your personal data safe, change your passwords often and consider using an encrypted credit card service, such as Eno, that allows users to shop online without using their real credit card number.