Here's why data breaches like the one at Marriott are 'treasure troves for spammers'

December 6, 2018 by Greg St. Martin, Northeastern University
Credit: CC0 Public Domain

The massive data breach revealed by Marriott International sheds light on what hackers often do with the personal data they steal, said Long Lu, a cybersecurity expert at Northeastern. Hackers, he said, frequently sell people's names, email addresses, and other personal information to spammers who, in turn, use it steal people's identities or trick people into installing harmful software or buying fake merchandise.

"If you sell a large set of email addresses, along with names or other personal information, that's like a treasure trove for spammers," said Lu, an assistant professor in the College of Computer and Information Science. "Not only do they know what are the valid email addresses that they can send to, but they also have some basic information they can use to better target these owners."

Marriott, the world's largest hotel chain, said last week that its Starwood guest reservation database has been hacked and that the personal information of up to 500 million guests had been exposed. The majority of the victims in the Marriott breach, believed to be 317 million people, had a combination of their names, addresses, passport numbers, dates of birth, phone numbers, gender, addresses, and reservation stolen.

The methods used to hack the reservation system, the ability of Marriott to protect itself against breaches, and how the stolen data could be used all remain unclear. But Lu said that the hack exemplifies how sophisticated cyberattacks have become, the need for businesses to invest more resources in protecting their data, and the demand for laws that set industry standards for cybersecurity.

"If you're talking about a car, there are very specific safety restrictions and laws in place that require car manufacturers to do their best to make their cars safe," Lu said. "But I don't see an equivalent set of laws for cyber."

The affects customers who made reservations at Starwood-brand hotels and resorts between 2014 and September 2018, according to the New York Times. Marriott acquired Starwood, whose brands include Westin, W Hotels, and Sheraton, in 2016. Marriott-branded hotels, which include Residence Inn and the Ritz Carlton, reportedly operate on a different reservation system.

"I frankly was shocked at how big the scale was and how long it was going on for," Lu said. "This is probably, if it's not the worst, definitely one of the worst data breaches that I've seen in recent years."

He said that companies have begun to do a better job at protecting customer data and responding to breaches and recommended that consumers try to protect their by regularly changing their online passwords and monitoring their credit reports.

"Cyberattacks [are] something we cannot completely stop, but we can always do better to try to prevent it from happening or reduce the likelihood for an attack to happen," he said.

Explore further: So you stayed at a Starwood hotel: Tips on data breach

Related Stories

So you stayed at a Starwood hotel: Tips on data breach

November 30, 2018

If you stayed at one of Marriott's Starwood hotels in recent years, hackers might have information on your address, credit card and even your passport. Some of this can be used for identity theft, as hackers create bank and ...

The Marriott breach compared with past security breakdowns

November 30, 2018

Marriott's revelation that as many as 500 million guests may have been affected by a data breach at Starwood hotels, which it bought two years ago, ranks among the largest hacks ever. It is not clear if some of those included ...

JP Morgan Chase breach was among the biggest in recent years

November 10, 2015

Last year's data breach at JPMorgan Chase affected more than 76 million households and seven million small businesses. The bank said hackers may have stolen names, addresses, phone numbers and email addresses, although no ...

Q&A: Ashley Madison hack only latest high-profile breach

August 20, 2015

The data breach affecting customers of the Ashley Madison website may be salacious, embarrassing or even ruinous for those involved. But it's only the latest, and not the biggest, high-profile breach of customer or employee ...

Sony, Epsilon execs to testify

June 2, 2011

(AP) -- Executives from Sony and online marketing firm Epsilon will go before lawmakers on Thursday to try to explain recent data breaches at their companies that have exposed email addresses, credit card numbers and other ...

Recommended for you

Light-based production of drug-discovery molecules

February 18, 2019

Photoelectrochemical (PEC) cells are widely studied for the conversion of solar energy into chemical fuels. They use photocathodes and photoanodes to "split" water into hydrogen and oxygen respectively. PEC cells can work ...

Solid-state catalysis: Fluctuations clear the way

February 18, 2019

The use of efficient catalytic agents is what makes many technical procedures feasible in the first place. Indeed, synthesis of more than 80 percent of the products generated in the chemical industry requires the input of ...

Sound waves let quantum systems 'talk' to one another

February 18, 2019

Researchers at the University of Chicago and Argonne National Laboratory have invented an innovative way for different types of quantum technology to "talk" to each other using sound. The study, published Feb. 11 in Nature ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.