Marriott International has revealed more details about the mega hack that hit the hotel chain last year.
Testifying in front of a US Senate subcommittee, CEO Arne Sorenson began by apologising to the customers affected. He also quickly dismissed rumours that China was behind the hack.
The cyber breach was first detected on September 8, when Marriott was contacted by IT company Accenture saying they had detected an anomaly on the Starwood guest reservation database a day earlier, according to Sorenson.
“The Guardium alert was triggered by a query from an administrator’s account to return the count of rows from a table in the database,” he said.
“As part of our investigation into the alert, we learned that the individual whose credentials were used had not actually made the query.”
Further forensic investigations uncovered malware on the Starwood IT systems less than a week later.
“The investigators uncovered a Remote Access Trojan, a form of malware that allows an attacker to covertly access, surveil, and even gain control over a computer. I was notified of the ongoing investigation that day, and our Board was notified the following day,” Sorenson said.
Further into the investigation they found that the hackers had been active on Starwood’s IT network since July 2014, long before Marriott’s acquisition, which meant that hackers had operated more than two years without getting detected.
However, at this point there was still no evidence of hackers accessing customer data.
On November 13, after further investigation they found that hackers had breached Starwood’s IT network and had stolen customer details from its guest reservation database.
The hotel chain then notified authorities and went public with its data breach disclosure on November 30.
The original estimate that the breach that had impacted around 500 million customers has since been downgraded to around 383 million, with that figure also likely to be smaller still.
“[I]n many instances, there appear to be multiple records for the same guest, but because of the nature of the data, further de-duplication cannot easily be performed,” Sorenson said.
“We cannot confidently determine whether records with similar names, or even identical names with different addresses, represent one person or multiple people, but we have concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved.”
When asked about who was behind the cyber attack, Sorenson said he was unsure.
“The short answer is we don’t know,” he said. “I feel quite inadequate about even drawing inferences from the information that we’ve obtained.”