Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Spies Reportedly Behind Massive Marriott Hack (cnet.com)

Posted by BeauHD on from the finger-pointing dept.

An anonymous reader quotes a report from CNET: A Chinese intelligence-gathering effort was behind the massive Marriott hotels data breach that exposed the personal information for up to 500 million people, the New York Times reported Tuesday. The hackers are believed to have been working for China's Ministry of State Security, the Times reported citing sources who had been briefed on the investigation's preliminary results. The revelation emerges as the U.S. Justice Department is preparing to announce new indictments against Chinese hackers working for the intelligence and military services, the Times reported.

The hotel chain revealed last month that it had discovered that hackers had compromised the guest reservation database of its Starwood division, whose brands include Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis. Marriott said some of the stolen information also included payment card numbers and expiration dates. Private investigators involved in a probe into the breach had previously discovered hacking tools, techniques and procedures that were used in earlier cyberattacks that have been linked to Chinese hackers.

7 of 65 comments (clear)

  1. They must not be very competent... by gweihir · · Score: 2, Funny

    I expect professional spies to _not_ get caught or detected when doing such things. Breaking in is something amateurs can do today, but doing it without leaving evidence is something else.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:They must not be very competent... by sd4f · · Score: 3

      It would matter if they were to get some sort of punishment for it, but fact of the matter is nothing happens to them. If anything, that might be why they're so sloppy; because there are no detrimental consequences to them for doing it.

    2. Re:They must not be very competent... by Anonymous Coward · · Score: 2, Insightful

      It would matter if they were to get some sort of punishment for it, but fact of the matter is nothing happens to them. If anything, that might be why they're so sloppy; because there are no detrimental consequences to them for doing it.

      Leaving evidence of a state-sponsored intelligence operation can also be used to send a message.

      Ask Putin about that, with his nerve agent poisonings...

  2. Re:Funny how they can "determine" that by Zocalo · · Score: 4, Interesting

    After all, why spy at governments, branches of military, banks, political organisations, when you can go right for the real stuff and collect two years of past booking information from some hotel?

    Remember the OPM hack from a few years ago? All that data on the names of people working for the US Government in the wind? Now, imagine if you could somehow collate that database with another one that contains the travel records of around half a billion people. Unless working under cover they're going to have loyalty programs just like any other frequent traveller, and knowing even partial travel records of potential foreign agents could prove extremely useful if you were, say, trying to confirm which of all those people on OPM's books were just the routine military/contractor chaff vs. the wheat of the real operators and where they've been.

    --
    UNIX? They're not even circumcised! Savages!
  3. We need a law by Anonymous Coward · · Score: 2

    If you cannot safeguard customersâ(TM) data, it should be a jailable offense to take, gather, request, or accept, or store customersâ(TM)s data. Itâ(TM)s become abundantly clear that NO ONE can safeguard customer data, therefore it should be regarded as contraband for all businesses. Any business that wants, for example, to issue loyalty cards, should only be allowed to do so provided there is NO connection with the individual with the account. Account username policy would be âoeyour account login is your loyalty card number; safeguard this, because we have no way to restore if you lose it, because we are LEGALLY PROHIBITED from keeping any data on you. Period.â

    If I started a company, this is how it would behave. Why, you ask, loyalty cards? Thatâ(TM)s not really quite what they would be, but theyâ(TM)d be analogous to them, but not connectable to any person.

    So if you hacked somehow into my company database, you wouldn't know whose data you had.

    Also, for every real account in the database, thered be about a thousand fakes. Good luck figuring out anything useful from all the fake data. :-)

  4. USA spies already had that info. by Moskit · · Score: 2

    USA (and affiliate) spies must have already had the same information. In a way the Chinese (or whoever really was behind the hack) just equalized the situation.
    Likely neither gathered it in a fully legal way (it's not exclusively USA laws that apply worldwide).

  5. Re:Horrible idea by Virtucon · · Score: 2

    What defines bad behavior? That's what Firewall vendors all make a living on.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"