The massive Marriott data breach affecting as many as 500 million individuals may be the work of hackers sponsored by the Chinese government, Reuters learned from several people investigating the incident.
Reuters’ sources said the hackers left behind some clues suggesting that the attack was part of an intelligence gathering operation conducted by the Chinese government. This assumption is based on the use of tools, techniques and procedures (TTPs) known to be associated with Chinese threat actors.
The potential involvement of the Chinese government in the breach suggests that the goal was espionage rather than financial gain.
However, Reuters’ sources admitted that since some of the hacking tools used in the attack are widely available, someone other than China could be behind the operation. Attribution is also made difficult by the fact that Marriott’s Starwood network had been compromised since 2014, which makes it more likely that several threat groups had access.
Marriott has refused to comment on the China attribution and representatives of the Chinese government reiterated that they oppose all types of cyberattacks.
China has been the main suspect in several high-profile attacks, including the massive breach disclosed by the U.S. Office of Personnel Management (OPM) in 2015.
Experts told Reuters that a cyber espionage operation could not be ruled out, especially judging by the duration of the campaign and the fact that the attackers managed to stay hidden for so long. Financially-motivated cybercriminals are typically more interested in obtaining the data quickly, even if their activities are more likely to be detected by the victim.
In January, China ordered Marriott to suspend its Chinese website and app for one week after a survey sent out by the company listed Tibet and Taiwan as countries – China says Tibet and Taiwan are its territory.
Marriott revealed on November 30 that roughly 500 million individuals who had stayed at Starwood hotels may have had their personal information stolen by hackers. The attackers accessed names, addresses, phone numbers, email addresses, passport numbers, travel information and, in some cases, payment card data.
The hotel giant learned of the breach on September 8, when one of its internal security tools detected suspicious activity related to the Starwood guest reservation database. The investigation launched by the company revealed that the unauthorized access may have dated as far back as 2014.
Unsurprisingly, several lawsuits have been filed against Marriott over the data breach, by both customers and investors.