For five years, the Marriott hotel chain claimed that it had been using secure encryption when it was hit by an unprecedented data breach in 2018.
In a major revelation by Marriott attorneys, who have been pushing to have a court case against the company thrown out, have now revealed that a significantly less effective cryptographic method was in use at the time of the breach.
What was in use at the time was the secure hash algorithm 1 (SHA-1) – which is used for hashing, not secure encryption – rather than using the AES-128 encryption it had claimed to use for the past five years.
Major implications for hotel chain
As reported by CSO, the Marriott group was given seven days to update any incorrect information on its website by Judge John Preston Bailey. Incorrect information was corrected, but not in the most visible way.
The revelation that the card details and passport information of up to 380 million people was not protected with the secure encryption claimed for the past five years was made in a two sentence update to a security note published on January 4th 2019.
Speaking to CSO, Fuad Hamidli, cryptographer and senior lecturer at the New Jersey Institute of Technology said that, “SHA-1 is not secure. It is broken,” continuing to critique the use of SHA-1 by saying that it “is bad because it is not secure from a cryptographic perspective. I don’t know of any algorithm that can break AES-128. It doesn’t make any sense to protect data with SHA-1.”
A second encryption expert, Phil Smith, who is the encryption product manager at Open Text said, “You are not going to brute force an AES-128. You can crack SHA-1 in less than an hour.”
In response to court filings and arguments presented by attorneys on the use of SHA-1 as the chosen method of encryption, Lisa Ghannoum, representing Marriott, said, “Verizon, an independent third party, came to the same conclusion that Marriott initially had, that data in these involved tables were protected by AES-128 encryption, as did Marriott’s other technical experts, including CrowdStrike. It worked with a specialized team in response.”
“It was only recently that Marriott had reason to question that. It moved with all due speed in order to verify whether or not that was the case, and as soon as it realized that there was a correction needed, it made that correction,” Ghannoum said.
More from TechRadar Pro
Upgrade your security with the best firewallsChange Helathcare hackers took advantage of Citrix vulnerability to break in, CEO saysThese are the best endpoint protection solutions
