Marriott admits it wasn't using encryption before major 2018 hack

News
By published

SHA-1 was used, not AES-128

marriott
(Image credit: Shutterstock.com) (Image credit: Shutterstock.com)

For five years, the Marriott hotel chain claimed that it had been using secure encryption when it was hit by an unprecedented data breach in 2018.

In a major revelation by Marriott attorneys, who have been pushing to have a court case against the company thrown out, have now revealed that a significantly less effective cryptographic method was in use at the time of the breach.

What was in use at the time was the secure hash algorithm 1 (SHA-1) - which is used for hashing, not secure encryption - rather than using the AES-128 encryption it had claimed to use for the past five years.

 Major implications for hotel chain

As reported by CSO, the Marriott group was given seven days to update any incorrect information on its website by Judge John Preston Bailey. Incorrect information was corrected, but not in the most visible way. 

The revelation that the card details and passport information of up to 380 million people was not protected with the secure encryption claimed for the past five years was made in a two sentence update to a security note published on January 4th 2019.

Speaking to CSO, Fuad Hamidli, cryptographer and senior lecturer at the New Jersey Institute of Technology said that, “SHA-1 is not secure. It is broken,” continuing to critique the use of SHA-1 by saying that it “is bad because it is not secure from a cryptographic perspective. I don’t know of any algorithm that can break AES-128. It doesn’t make any sense to protect data with SHA-1.”

A second encryption expert, Phil Smith, who is the encryption product manager at Open Text said, “You are not going to brute force an AES-128. You can crack SHA-1 in less than an hour.”

In response to court filings and arguments presented by attorneys on the use of SHA-1 as the chosen method of encryption, Lisa Ghannoum, representing Marriott, said, “Verizon, an independent third party, came to the same conclusion that Marriott initially had, that data in these involved tables were protected by AES-128 encryption, as did Marriott’s other technical experts, including CrowdStrike. It worked with a specialized team in response.” 

“It was only recently that Marriott had reason to question that. It moved with all due speed in order to verify whether or not that was the case, and as soon as it realized that there was a correction needed, it made that correction,” Ghannoum said.

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
Ransomware
Millions of hotel guest reservations leaked in Otelier data breach
Password
Millions of airline customers possibly affected by OAuth security flaw
Suitcase next to a bed in a hotel
Millions of hotel users see personal info checked out in huge data leak
Illustration of a thief escaping with a white fingerprint
5 massive privacy scandals that rocked the world – and made millions of victims
ransomware avast
AI is helping hackers get access to systems quicker than ever before
A person with a laptop using a credit card online.
Avery label maker confirms attack on its site, customer credit card info stolen
Latest in Pro
Protection from AI hacker attacks
Maintaining SAP’s confidentiality, integrity, and availability triad
A trough sensor at Overbury farm
“It's wildlife working for you” - how Agri-Tech can help revolutionize British farming as we know it
Epson EcoTank ET-4850 next to a TechRadar badge that reads Big Savings
I found the best printer deal you won't see in the Amazon Spring Sale and it's got a massive $150 saving
NVIDIA RTX PRO 6000 Blackwell Server Edition
Nvidia's most expensive Blackwell card gets massive price cut but it is not the RTX 5090
Microsoft Copiot Studio deep reasoning and agent flows
Microsoft reveals OpenAI-powered Copilot AI agents to bosot your work research and data analysis
Group of people meeting
Inflexible work policies are pushing tech workers to quit
Latest in News
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
More about pro
Protection from AI hacker attacks

Maintaining SAP’s confidentiality, integrity, and availability triad
A trough sensor at Overbury farm

“It's wildlife working for you” - how Agri-Tech can help revolutionize British farming as we know it
Proton VPN and Vivaldi partnership – promo image

Proton joins force with Vivaldi browser to help you break free from Big Tech
See more latest
Most Popular
Proton VPN and Vivaldi partnership – promo image
Proton joins force with Vivaldi browser to help you break free from Big Tech
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Samsung Magician 8.3.0
Samsung reveals a new version of its popular SSD software, and yes, you should absolutely download it if you own a Samsung SSD
NVIDIA RTX PRO 6000 Blackwell Server Edition
Nvidia's most expensive Blackwell card gets massive price cut but it is not the RTX 5090
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An AI face in profile against a digital background.
The race to trillion-parameter model training in AI is on, and this company thinks it can manage it for less than $100,000
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Ninkear MBOX 8 Pro
This mini PC has a detachable docking station that hides a hard drive, and I am not convinced whether it's a good idea
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead