Early Friday morning, the hotel behemoth Marriott announced a massive hack that impacts as many as 500 million customers who made a reservation at a Starwood hotel. Marriott acquired the Starwood hospitality group in September 2016, which operates numerous hotel brands including Sheraton, Westin, Aloft, and W Hotels. But the intrusion that caused the enormous data breach predates Marriott's acquisition, beginning in 2014.

Marriott says it is cooperating with law enforcement and regulators in investigating the hack, and the company hasn't finalized the number of people impacted. It currently seems that about 170 million Marriott customers only had their names and basic information like address or email address stolen. But the bulk of the victims—currently thought to be 327 million people—had different combinations of name, address, phone number, email address, date of birth, gender, trip and reservation information, passport number, and Starwood Preferred Guest account information all stolen.

"Four years is an eternity when it comes to breaches." David Kennedy, TrustedSec

Some credit card numbers were also stolen as part of the breach, Marriott says, but the company did not provide an initial estimate of how many were taken. The credit card numbers were encrypted with the algorithm AES-128—a reasonably robust choice—but Marriott says the attackers may have also compromised the decryption keys needed to unlock the data.

All in all, it's not a great situation.

“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and CEO said in a statement on Friday. “We are doing everything we can to support our guests. ... We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

A Historic Breach

Breach response experts told WIRED on Friday that the sheer amount of time the attackers had inside the system—four years in all—likely made the breach much worse than it otherwise might have been. Time gives attackers the ability to chip away at defenses, or simply learn more about a system to understand where the valuable data is. Even with encrypted data, like the credit card numbers in this case, an attacker with enough access could steal the decryption keys, or swipe sensitive data before it ever has a chance to be encrypted in the first place. Either scenario seems possible, given the details Marriott has released so far.

“It’s all about key management and doing encryption in the places where an attacker might be,” says Johns Hopkins cryptographer Matthew Green. “There's no point in locking the gates if the bad guy is already inside."

Meanwhile, the attackers also had ample time to encrypt the stolen data as part of their exfiltration strategy. Hackers often use encryption as a tool to mask data and sneak it past a network's "data loss prevention" defenses, which monitor for sensitive data in transit.

Marriott says a digital security tool flagged suspicious attempted access to its United States Starwood guest reservation database on September 8 of this year. The company investigated, and seems to have blocked attacker access by September 10, because it says that no customer data was stolen after that date. But Marriott also says its initial investigation didn't definitively identify the scope of the problem until more than two months later, on November 19.

Marriott says its own digital systems were not affected, only the Starwood side. Some penetration testers and network breach responders speculated to WIRED on Friday that Marriott's acquisition of Starwood may have played a role in delaying detection if the companies were distracted by the larger topic of brokering the deal.