[Security Weekly] Marriott Data Breach Leaked 5.2 Million Customers’ Personal Information

1st Week of April 2020


1. Marriott data breach leaks personal information of 5.2 million loyalty members


Marriott International, operating some of the largest hotel chains in the world, has suffered a massive data breach that compromised the personal data of over 5.2 million guests. All victims were members of the Marriott Bonvoy loyalty program who accessed their accounts using its smartphone app.

Marriott disclosed the incident by posting a notification letter on its website. According to the released information, hackers first obtained the login credentials of two employees from one of its hotel chains, and used that login details to get into the app’s backend. The incident was said to have occurred back in mid-January, only to be discovered in late February.

The hotel conglomerate did not offer any more detailed information on the attack. Compromised information included the victims’ names, affiliates, mailing addresses, phone numbers, email addresses, loyalty account information, as well as the loyalty account information of linked airlines.

Marriott’s investigation team suggested that no password and payment card information was compromised, and opened up a web portal for customers to check whether they were involved in the incident. This is the second data breach in less than two years for Marriott, with the last one taking place in late 2018.

Source: The Wall Street Journal


2. All Georgian citizens’ personal information compromised and posted online


Over the last weekend, data breach monitoring firm Under the Breach discovered a Microsoft Access file posted on a hacker forum containing the personally identifiable information of 4,934,863 Georgian citizens. With a total size of 1.04 GB, the file contained each person’s full name, date of birth, home address, ID numbers, and phone numbers.

As the current population of the Eastern European country is estimated at around 3.7 million, the database included those who are deceased as well. The hackers who posted the file refused to disclose where they stole the data from, and that no government agencies nor companies have yet admitted suffering any data breaches, making this an open case.

Source: ZDNet


3. Video conferencing software Zoom under attack, multiple vulnerabilities discovered


As COVID-19 shuts down a significant amount of socioeconomic activities, usage of Zoom, a popular video conferencing software, has skyrocketed. According to the company’s CEO Eric Yuan, the number of daily users has increased from 10 million in December to 200 million in March.

This surge in popularity has made Zoom an attempting target for cybercriminals. After the widespread issue of having uninvited guests bombarding online meetings, serious software flaws involving both security and privacy concerns have started to become apparent. Multiple vulnerabilities were discovered over the past week.

First of all, security researchers discovered that Zoom does not use end-to-end encryption as advertised. The company confirmed this week that end-to-end encryption was not possible for the platform and apologized for false advertising.

There is way more to it. The application was found to secretly send data to Facebook, despite the company claiming that they do not sell data to any third party. 

The application was also found to install secretly on Mac operating systems without the administrator’s permission. An attacker could easily exploit this misconfiguration to inject the Zoom installer with malicious codes to take over the operating system, which would then allow the attacker to further install malware to the device. Moreover, this misconfiguration also enabled hackers to obtain access to the user’s webcam and microphone. Zoom fixed this misconfiguration on Thursday and issued another apology. 

These above vulnerabilities were all found out in the last week alone. Zoom had frequently been criticized in the past for security issues and misconfigurations. For example, it was found back in 2019 to secretly install a web server on the users’ devices that would automatically add them to a meeting without their permission. It was also criticized for having a feature to track the users’ mouse, allowing employers to check if the employees are doing anything else during the meeting.

Sources: The Guardian, BBC, Tech Crunch


4. Digital wallet Key Ring leaks data of 44 million stored items


Key Ring is a popular digital wallet mobile app used by millions of people. Users use the app to scan and store their wallet items such as IDs, credit cards, membership cards, and gift cards.

Earlier this week, security researchers at vpnMentor disclosed that a misconfiguration of the app’s Amazon Web Services (AWS) S3 cloud database had exposed over 44 million wallet items belonging to over 14 million users. The data breach was discovered in January with web-scanning tools, where the database was found to be configured as “public” instead of “private”.

The exposed data included personally identifiable information such as IDs, medical insurance cards, NRA membership cards, and credit cards with full payment information. What’s worse is that because many retailers use the wallet to manage their membership lists, exposed data also included the membership information of millions of customers from retailers including Walmart, Foot Locker, and Kleenex.

The researchers notified Key Ring of the problem right after the discovery. Even though the misconfiguration was quickly fixed, criminals could have already obtained the data. The configuration allowed anyone to download the data and store them offline, making them impossible to trace. Millions of people are now vulnerable to identity theft and fraud.

Source: Threatpost


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Web Application Firewall for Cloud: WAPPLES SA

Database Encryption: D’Amo

Authentication: ISign+ 

Smart Car Security: AutoCrypt