Cyber Incident Victim: Marriott International
Date:
Jan 2014
Location:
Canada
Summary
A cyberattack attributed to Chinese state-sponsored hackers compromised the personal data of approximately 500 million guests at a major hotel chain, stealing passport details, credit card information, and travel itineraries. The breach, linked to China's Ministry of State Security, formed part of a broader intelligence-gathering operation targeting U.S. entities, including health insurers and security clearance databases, to amass personal data for counterintelligence and recruitment purposes. The intrusion originated in systems belonging to Starwood Hotels prior to its acquisition by the victim, remaining undetected for years before discovery. Exfiltrated data provided insights into travel patterns and personal identifiers, enhancing China's ability to profile individuals with security clearances or government affiliations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Marriott International data breach, disclosed on November 30, 2018, involved unauthorized access to the Starwood guest reservation database affecting approximately 500 million individuals. The intrusion was first detected in September 2018 but had persisted since at least 2014, prior to Marriott's $13.6 billion acquisition of Starwood Hotels & Resorts Worldwide in 2016. Attackers exfiltrated sensitive personal information including names, mailing addresses, phone numbers, email addresses, passport numbers, travel itineraries, and payment card details. Of the affected guests, up to 327 million had passport numbers compromised. The breach impacted guests who made reservations at Starwood-branded properties including Sheraton, Westin, W Hotels, St. Regis, and Four Points. Investigators identified technical indicators linking the attack to Chinese state-sponsored actors believed to be operating on behalf of China's Ministry of State Security, though U.S. intelligence agencies had not issued a final attribution assessment at the time of reporting.
The breach formed part of a broader Chinese intelligence operation that previously targeted the U.S. Office of Personnel Management (2014) and health insurers like Anthem, collectively compromising security clearance files, medical histories, and Social Security numbers of millions of Americans. Analysts concluded the stolen Marriott data enhanced China's ability to track travel patterns, correlate individuals with known intelligence personnel identified through prior breaches, and build comprehensive profiles for counterintelligence operations. Marriott offered affected guests one year of free WebWatcher monitoring service but limited passport replacement cost coverage to cases where documented fraud occurred. The U.S. government considered the breach particularly significant because Marriott served as the primary hotel provider for American military and government personnel. The incident influenced broader Trump administration actions against Chinese cyber activities, including planned indictments of state-sponsored hackers and proposed restrictions on Chinese telecommunications equipment procurement. Forensic investigations revealed the attackers employed techniques consistent with advanced persistent threat groups historically associated with Chinese intelligence services.