Marriott admits it wasn't using encryption before major 2018 hack
SHA-1 was used, not AES-128
For five years, the Marriott hotel chain claimed that it had been using secure encryption when it was hit by an unprecedented data breach in 2018.
In a major revelation by Marriott attorneys, who have been pushing to have a court case against the company thrown out, have now revealed that a significantly less effective cryptographic method was in use at the time of the breach.
What was in use at the time was the secure hash algorithm 1 (SHA-1) - which is used for hashing, not secure encryption - rather than using the AES-128 encryption it had claimed to use for the past five years.
Major implications for hotel chain
As reported by CSO, the Marriott group was given seven days to update any incorrect information on its website by Judge John Preston Bailey. Incorrect information was corrected, but not in the most visible way.
The revelation that the card details and passport information of up to 380 million people was not protected with the secure encryption claimed for the past five years was made in a two sentence update to a security note published on January 4th 2019.
Speaking to CSO, Fuad Hamidli, cryptographer and senior lecturer at the New Jersey Institute of Technology said that, “SHA-1 is not secure. It is broken,” continuing to critique the use of SHA-1 by saying that it “is bad because it is not secure from a cryptographic perspective. I don’t know of any algorithm that can break AES-128. It doesn’t make any sense to protect data with SHA-1.”
A second encryption expert, Phil Smith, who is the encryption product manager at Open Text said, “You are not going to brute force an AES-128. You can crack SHA-1 in less than an hour.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In response to court filings and arguments presented by attorneys on the use of SHA-1 as the chosen method of encryption, Lisa Ghannoum, representing Marriott, said, “Verizon, an independent third party, came to the same conclusion that Marriott initially had, that data in these involved tables were protected by AES-128 encryption, as did Marriott’s other technical experts, including CrowdStrike. It worked with a specialized team in response.”
“It was only recently that Marriott had reason to question that. It moved with all due speed in order to verify whether or not that was the case, and as soon as it realized that there was a correction needed, it made that correction,” Ghannoum said.
More from TechRadar Pro
- Upgrade your security with the best firewalls
- Change Helathcare hackers took advantage of Citrix vulnerability to break in, CEO says
- These are the best endpoint protection solutions
Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.