Marriott Admits to Lack of Encryption in Massive 2018 Data Breach

In 2018, Marriott International faced a monumental data breach, impacting approximately 500 million guests, revealing a critical lapse in their data security measures. Initially, Marriott had assured the public that the compromised data was secured using Advanced Encryption Standard 128 (AES-128). However, recent court proceedings have unveiled a starkly different reality. During a hearing in April, under judicial directive, Marriott confessed that the affected systems were actually protected by Secure Hash Algorithm 1 (SHA-1), which, contrary to encryption, does not scramble data into unreadability.

The misunderstanding came to light only after Marriott was ordered by a judge to update their website with the correct information about their security protocols. The website update, discreetly placed on a page created in 2019, did not trigger any new alerts to customers, leaving many unaware of the change. The issue traces back to Marriott’s acquisition of Starwood Hotels & Resorts Worldwide in 2015, which necessitated a merging of data security systems—a process now scrutinized for its apparent oversight in encryption practices.

Critics and experts are questioning how Marriott, along with its hired third-party security auditors from prominent firms like Accenture, Verizon, and CrowdStrike, initially missed these crucial details. The situation raises concerns about the thoroughness of security audits and the transparency of information relayed to the public and affected individuals. This incident has put Marriott under the microscope once again, echoing concerns from a subsequent 2020 breach that affected an additional 5.2 million guests.