The Marriott International hotel group is the latest company to announce a large-scale hack of a customer database.
We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.
The company says that although credit card data was encrypted, it believes it possible that the hackers got the encryption keys too …
For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.
As with many previous retailer hacks, exposed credit card information leaves customers open to fraudulent charges on their account.
Apple Pay offers protection against this type of hack, because actual card details are never passed to the company. Your iPhone, Watch or Mac instead generates a one-time code which is used in place of the card number. Once that transaction is completed, the code can never be reused.
Apple Pay can be used on the web, either from an iOS device or from a Mac. With a Mac equipped with Touch ID, you can do it directly on the Mac; with other models, you use your iPhone or Apple Watch to complete the purchase. Either way, it works the same way as an in-person transaction: only a one-time code is passed to the website.
But relatively few websites currently offer Apple Pay as a payment option, so for most online purchases – whether buying goods, booking a flight or reserving a hotel room – we have to hand over our card details. The growing number of hacks of retailer sites means we should all be pushing companies to accept Apple Pay, both online and offline, to reduce the risk.