U.S. government investigators increasingly believe that Chinese state hackers likely were responsible for the massive breach reported last month of Marriott's Starwood chain hotel reservation system, which exposed the private information and travel details of as many as 500 million people, according to two people briefed on the government investigation.
These people cautioned the investigation is not yet complete, so definitive conclusions are not possible. But the sweep and seriousness of the hack, which took place over four years before being discovered, prompted immediate speculation that it was carried out by a foreign country.
Preliminary indications are the breach was conducted by hackers affiliated with the Chinese Ministry of State Security, said the people, who spoke on the condition of anonymity to reveal information not yet ready for public release. The MSS, an intelligence and security agency, has been behind many of the Chinese government intrusions into sensitive U.S. networks in recent years.
Some U.S. intelligence officials believe that the breach was conducted to enrich the massive Chinese data sets on U.S. and other citizens that have been amassed for years, the people said. Such breaches include the 2015 Office of Personnel Management intrusion, which compromised the personal data of more than 20 million government employees, family members and applicants, and also information collected during Chinese breaches of health care institutions such as Anthem and CareFirst.
The FBI and other intelligence agencies declined to comment.
The New York Times first reported that investigators believe the attackers likely were from a Chinese state intelligence service.
The Marriott breach exposed an unusually broad array of data, including names, addresses, phone numbers, passport numbers and credit card numbers, as well as information on where people traveled and with whom.
Such information would be valuable not just to criminals seeking to commit identity fraud but also intelligence agencies seeking to build dossiers and track movements of diplomats, spies, military personnel, business executives and journalists, according to several cybersecurity experts. Armed with a rich array of personal data, an intelligence agency can also tailor an approach to a person to see if the individual can be recruited as a spy or blackmailed for information. The passport data, which is not often collected in data breaches, likely was a particularly valuable find for the hackers.
The people familiar with the investigation said the Marriott breach involved the same cloud hosting space as Chinese state hackers have used in the past, and that one signature technique that involved hopping among servers also points to Chinese involvement. Another clue suggesting nation-state involvement was that none of the breached data has appeared on the "dark web" or any of the forums that criminals typically use to sell stolen credentials and other valuable personal data.
"If it were a criminal act, people would be trying to sell it," said one of the people familiar with the investigation.
The breach of the reservation system for Marriott's Starwood subsidiaries was one of the largest in history, affecting travelers at hotel chains St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points and W Hotels from 2014 onward, according to a Marriott news release last month.
Marriott acquired Starwood in 2016 and kept the reservation databases separate from its own until recently. The reservation system of Marriott hotels themselves, based in Bethesda, Maryland, were not affected by the breach. The company has more than 6,700 properties around the world.
An internal security tool flagged the possible breach beginning on Sept. 8 and later discovered the hackers had accessed customer information and attempted to remove it in encrypted form, the company said. Marriott was able to decrypt the information and understand the extent of the breach only in November, it said.
Marriott on Tuesday reiterated its previous comment on the data breach, saying in a statement: "Our primary objectives in this investigation are figuring out what occurred and how we can best help our guests. We have no information about the cause of this incident, and we have not speculated about the identity of the attacker."
China's foreign ministry declined to comment Wednesday. But a spokesman last week said that "China firmly opposes all forms of cyber attack and cracks down on it in accordance with the law."
"If offered evidence, the relevant Chinese departments will carry out investigations according to the law. We firmly object to making groundless accusations on the issue of cyber security," spokesman Geng Shuang said at a press briefing when asked about the Marriott allegations.
News of the breach prompted several U.S. government officials to announce investigations, including New York Attorney General Barbara Underwood, Maryland Attorney General Brian Frosh and Pennsylvania Attorney General Josh Shapiro. Several members of Congress also publicly demanded answers.
Privacy advocates long have warned that travel data can provide remarkably precise insights into the lifestyles, tastes and personal relationships of individuals, but the industry has lagged behind others, such as banking, in securing information against hackers.
The Washington Post’s Taylor Telford and Anna Fifeld in Beijing contributed to this report.