Marriott reveals 5 million unencrypted passport numbers were leaked in 2018 data breach

Marriott International said Friday that 5.25 million unencrypted passport numbers were stolen as part of a data breach it disclosed in November — but it also walked back the total number of people affected.

Among the information involved in the potential theft, the passport numbers and travel itineraries represent a potential espionage bonanza, a breach made more troubling since China has been seen as the likely origin of the cyberattack.

“Compromise of those passports is historic — 5.25 million individuals are essentially exposed to cybercrime and economic espionage,” Tom Kellermann, chief cybersecurity officer at Carbon Black, a Massachusetts-based cybersecurity firm, said. “The Chinese can now track individuals as they travel and leverage physical and cyber assets to spy on them.”

Paired with other sensitive data and intelligence, the passport numbers, potentially as well as compromised arrival, departure and reservation date information, could allow hostile nation states to track the movements of key government and business executives, revealing their activities and intentions, or they could be used to recruit and coerce sources, intelligence and cybersecurity experts told NBC News.

“A passport number serves as a unique identifier and is required when entering and exiting international borders, as well as checking into hotels while traveling abroad,” Jon Condra, director of Asia Pacific research at the threat intelligence firm Flashpoint, said in an email. “Knowledge of this number would in theory aid Chinese intelligence efforts at tracking and establishing surveillance upon high value targets during travel.”

Even if the passport numbers are reissued, they could still be used to predict future travel by correlating them with past records, he said.

The company didn’t offer clues to the identity of the attackers in its latest update.

“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” Arne Sorenson, Marriott’s president and chief executive officer, said in a statement.

The company had initially said the hack compromised the data of up to 500 million guests but downgraded that to a maximum of 383 million guests. It said that number could fall further as the company identified duplicate customer records.

The revised figure still puts the breach among the largest ever reported, ahead of the credit-reporting agency Equifax’s loss of nearly 150 million customers’ data in 2017.

There were also nearly 20 million encrypted passport numbers involved in the intrusion, Marriott said, but there was no sign the attackers had stolen the master key needed to decode them back into numbers from scrambled text.

“It boggles the mind,” Mark Weatherford, former deputy undersecretary for cybersecurity at the Department of Homeland Security, said in an interview. “Why was 20 percent of their sensitive passport data unencrypted?”

“This is not simply credit card information that is easily changed,” Weatherford said. “This is incredibly sensitive and personal identification information that can be abused.”

Marriott also disclosed that the attack involved data on 8.6 million encrypted credit cards, of which all but 354,000 were expired. However, it said that fewer than 2,000 unencrypted card numbers still may have been swiped.

Posing as gay men on Twitter, a troll goes viral with attempts to falsely tie the LGBTQ community to pedophilia

Around Christmas Day, Karl Krause and Daan Colijn started receiving emails from their fans, telling them their pictures were being used to promote pedophilia in several viral posts on Twitter.

“They were outraged emails,” Krause said. “They were saying: ‘How can that be? You are not pro-pedophilia. I know that.’”

Krause and Colijn are gay travel bloggers who tell their followers of gay-friendly and LGBTQ-owned businesses and communities throughout the world. They had no idea their faces were being used to promote an idea they found abhorrent.

One of their pictures, which features Krause and Colijn kissing in front of a rainbow flag, had been stolen by a Twitter troll who went by the name “Alex,” an account that was created in December. The account then tweeted messages promoting pedophilia.

“It’s frustrating to see someone misusing our image for political purposes — basically supporting an argument against the LGBTQ community with our work,” Krause said.

The account successfully spread across Twitter the deliberately defamatory idea that pedophilia is an acceptable part of LGBTQ life. Over the last half-decade, that concept has become a staple of far-right internet trolls on websites like the fringe message board 4chan, and the troll’s message quickly gained internet traction.

Some far-right news websites wrote articles based on the tweet, including The Federalist Papers, which published a post with the headline, ”Resistance Member Says Pedophilia Is Sexual Orientation, Claims Bigotry.”

One tweet from the troll’s account, which used the handle @vaceyi, stated that “Pedophilia is a sexual orientation you bigots.” That tweet has drawn more than 16,000 replies and received attention on far-right parts of the internet, drawing scathing responses from right-wing commentator and former Major League Baseball pitcher Curt Schilling and “pizzagate” conspiracy theorist Jack Posobiec, among others. They took the fake message seriously and used it to suggest that the LGBTQ community supports the sexual abuse of children.

“They are actually trying to argue that pedophiles are an ‘oppressed minority,’” Posobiec wrote on Twitter, attaching screenshots of @vaceyi’s tweets. “Many warned this day would come.”

Various efforts to tie the LGBTQ community to pedophilia have been linked back to 4chan, including the creation of a fake rainbow flag for Gay Pride Month that supposedly was designed to show acceptance of pedophilia. The flag, and a fake “LGBTP” acronym, were debunked by the fact-checking organization Snopes. In 2016, a 4chan post stated “if they want to demand that society accept their horses— identities, then it’s time we slip in one of our own” and implored users to “convince them pedos deserve rights too.”

Shortly after @vaceyi’s tweets went viral, one 4chan user posted Posobiec’s tweet mentioning the account, wondering if Posobiec knew that @vaceyi is a troll.

“Does [Posobiec] know he’s being trolled by you guys and just going with it to look good? Or does he think the person tweeting this is serious?” the user asked.