Marriott admits it falsely claimed for five years it was using encryption during 2018 breach

In 2018, Marriott experienced a massive data breach. For years, the hotel chain defended itself by asserting that it had used strong encryption (AES-128) during the breach. However, during an April 10 hearing, Marriott’s attorneys admitted that they had never used AES-128 at the time. Instead, they had employed the less secure Secure Hash Algorithm 1 (SHA-1), which is a hashing mechanism rather than encryption. The revelation has serious implications for the enterprise, and questions remain about why Marriott initially made the false encryption claim and how they discovered the truth.

For more context, Marriott had previously announced that the payment card numbers and certain passport numbers in the database tables involved in the Starwood database security incident were protected using AES-128 encryption. However, this recent admission reveals that they were actually using SHA-1.

The case highlights the importance of accurate communication about security practices and the potential consequences when organizations misrepresent their security measures. It also underscores the need for transparency and accountability in handling data breaches.

If you’d like to read the full article, you can find it here