Marriott admits it wasn't using encryption before major 2018 hack

News
By published

SHA-1 was used, not AES-128

marriott
(Image credit: Shutterstock.com) (Image credit: Shutterstock.com)

For five years, the Marriott hotel chain claimed that it had been using secure encryption when it was hit by an unprecedented data breach in 2018.

In a major revelation by Marriott attorneys, who have been pushing to have a court case against the company thrown out, have now revealed that a significantly less effective cryptographic method was in use at the time of the breach.

Article continues below

 Major implications for hotel chain

As reported by CSO, the Marriott group was given seven days to update any incorrect information on its website by Judge John Preston Bailey. Incorrect information was corrected, but not in the most visible way. 

The revelation that the card details and passport information of up to 380 million people was not protected with the secure encryption claimed for the past five years was made in a two sentence update to a security note published on January 4th 2019.

Speaking to CSO, Fuad Hamidli, cryptographer and senior lecturer at the New Jersey Institute of Technology said that, “SHA-1 is not secure. It is broken,” continuing to critique the use of SHA-1 by saying that it “is bad because it is not secure from a cryptographic perspective. I don’t know of any algorithm that can break AES-128. It doesn’t make any sense to protect data with SHA-1.”

A second encryption expert, Phil Smith, who is the encryption product manager at Open Text said, “You are not going to brute force an AES-128. You can crack SHA-1 in less than an hour.”

In response to court filings and arguments presented by attorneys on the use of SHA-1 as the chosen method of encryption, Lisa Ghannoum, representing Marriott, said, “Verizon, an independent third party, came to the same conclusion that Marriott initially had, that data in these involved tables were protected by AES-128 encryption, as did Marriott’s other technical experts, including CrowdStrike. It worked with a specialized team in response.” 

“It was only recently that Marriott had reason to question that. It moved with all due speed in order to verify whether or not that was the case, and as soon as it realized that there was a correction needed, it made that correction,” Ghannoum said.

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.