Marriott admits it wasn't using encryption before major 2018 hack
Date:
Wed, 01 May 2024 15:30:00 +0000
Description:
Marriott was using a hashing algorithm, not secure encryption, to secure card details and passport information at the time of the breach
FULL STORY ======================================================================
For five years, the Marriott hotel chain claimed that it had been using
secure encryption when it was hit by an unprecedented data breach in 2018.
In a major revelation by Marriott attorneys, who have been pushing to have a court case against the company thrown out, have now revealed that a significantly less effective cryptographic method was in use at the time of the breach.
What was in use at the time was the secure hash algorithm 1 (SHA-1) - which
is used for hashing, not secure encryption - rather than using the AES-128 encryption it had claimed to use for the past five years. Major implications for hotel chain
As reported by CSO , the Marriott group was given seven days to update any incorrect information on its website by Judge John Preston Bailey. Incorrect information was corrected, but not in the most visible way.
The revelation that the card details and passport information of up to 380 million people was not protected with the secure encryption claimed for the past five years was made in a two sentence update to a security note
published on January 4th 2019.
Speaking to CSO, Fuad Hamidli, cryptographer and senior lecturer at the New Jersey Institute of Technology said that, SHA-1 is not secure. It is broken, continuing to critique the use of SHA-1 by saying that it is bad because it
is not secure from a cryptographic perspective. I dont know of any algorithm that can break AES-128. It doesnt make any sense to protect data with SHA-1.
A second encryption expert, Phil Smith, who is the encryption product manager at Open Text said, You are not going to brute force an AES-128. You can crack SHA-1 in less than an hour.
In response to court filings and arguments presented by attorneys on the use of SHA-1 as the chosen method of encryption, Lisa Ghannoum, representing Marriott, said, Verizon, an independent third party, came to the same conclusion that Marriott initially had, that data in these involved tables were protected by AES-128 encryption, as did Marriotts other technical experts, including CrowdStrike. It worked with a specialized team in
response.
It was only recently that Marriott had reason to question that. It moved with all due speed in order to verify whether or not that was the case, and as
soon as it realized that there was a correction needed, it made that correction, Ghannoum said. More from TechRadar Pro Upgrade your security with the best firewalls Change Helathcare hackers took advantage of Citrix vulnerability to break in, CEO says These are the best endpoint protection solutions
======================================================================
Link to news story:
https://www.techradar.com/pro/marriott-admits-it-wasnt-using-encryption-before -major-2018-hack
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)