Marriott data breach traced to Chinese hackers as US readies crackdown on Beijing

The hack of Marriott's Starwood chain was only discovered in September and revealed late last month.
The hack of Marriott's Starwood chain was only discovered in September and revealed late last month.PHOTO: REUTERS

WASHINGTON (NYTIMES) - The cyber attack on the Marriott hotel chain was part of a Chinese intelligence-gathering effort that hacked health insurers, other hotels and the security clearance files of millions of Americans, according to two people briefed on the preliminary results of the investigation.

The hackers are suspected of working on behalf of the Chinese Ministry of State Security. The discovery comes as the Trump administration plans a series of actions targeting China's trade, cyber and economic policies.

The Justice Department is preparing to announce new indictments against Chinese hackers working for the intelligence and military services, according to four government officials who spoke on condition of anonymity.

The Trump administration also plans to declassify intelligence to reveal concerted efforts by Chinese agents, dating to 2014 or earlier, to build a database containing the names of executives and American government officials with security clearances.

And the administration is considering an executive order intended to make it harder for Chinese companies to obtain critical telecommunications equipment, a senior American official with knowledge of the plans said.

The coordinated moves could be announced within days. They stem from a growing concern within the administration that the 90-day trade truce negotiated between United States President Donald Trump and Chinese President Xi Jinping in Buenos Aires two weeks ago may do little to change China's behavior - including coercing American companies to hand over valuable technology if they seek to enter the Chinese market, as well as the theft of industrial secrets on behalf of state-owned companies.

The hack of Marriott's Starwood chain collected passport information or other personal details of roughly 500 million guests and was discovered only in September and revealed late last month. It is not expected to be part of the coming indictments.

But two of the government officials said it has added urgency to the administration's crackdown, given that Marriott is the top hotel provider for US government and military personnel.

It also is a prime example of what has vexed the Trump administration as China reverted over the past 18 months to the kind of cyber intrusions into American companies and government agencies that former president Barack Obama thought he had ended with a 2015 agreement with Mr Xi.


Mr Geng Shuang, a spokesman for the Chinese Ministry of Foreign Affairs, denied any knowledge of the Marriott hack.

"China firmly opposes all forms of cyber attack and cracks down on it in accordance with the law," he said. "If offered evidence, the relevant Chinese departments will carry out investigations according to the law."

"China is one of the major victims of threats to cyber security, including cyber hacking," he said.

Marriott spokeswoman Connie Kim said the company was focused on "how we can best help our guests" and said the firm "had no information about the cause of this incident and we have not speculated about the identity of the attacker".

Trade negotiators on both sides of the Pacific Ocean have been working on an agreement that would involve a commitment by China to increase purchases of American goods and services by US$1.2 trillion (S$1.6 trillion) over the next several years, along with addressing some intellectual property concerns.

On Tuesday, Mr Trump said that the US and China were having "very productive conversations" as top American and Chinese officials held their first talks via telephone since the two countries agreed to the trade truce on Dec 1.

But while top administration officials insist that the trade talks are proceeding on a separate track, the broader crackdown on China could undermine Mr Trump's ability to reach an agreement with Mr Xi.

American charges against senior members of China's intelligence services - in tandem with the targeting of high-profile technology executives, like Ms Meng Wanzhou, the chief financial officer of the communications giant Huawei and daughter of its founder - risk hardening opposition in Beijing to negotiating with Mr. Trump.

China has been angered by the arrest of Ms Meng, who has been detained in Canada on suspicion of fraud involving violations of US sanctions in Iran. She was granted bail of C$10 million (S$10.3 million), while awaiting extradition to the US, a Canadian judge ruled on Tuesday.

Mr Trump, in an interview with Reuters on Tuesday, said that he would consider intervening in the Huawei case if it would help serve national security and help get a trade deal done with China. Such a move would essentially pit Mr Trump against his own Justice Department, which coordinated with Canada to arrest Ms Meng as she changed planes in Vancouver.

"If I think it's good for what will be certainly the largest trade deal ever made - which is a very important thing - what's good for national security - I would certainly intervene if I thought it was necessary," Mr Trump said.

American business leaders have been bracing for retaliation from China, which has demanded the immediate release of Ms Meng and accused both the US and Canada of violating her human rights.

On Tuesday, the International Crisis Group said that one of its employees, a former Canadian diplomat, had been detained in China. The disappearance of the former diplomat, Mr Michael Kovrig, could further inflame tensions between China and Canada.

"We are doing everything possible to secure additional information on Michael's whereabouts as well as his prompt and safe release," the group said in a statement on its website.

From the first revelation that the Marriott chain's computer systems had been breached, there was widespread suspicion in both Washington and among cyber-security firms that the hack was not a matter of commercial espionage, but part of a much broader spy campaign to amass Americans' personal data.

While American intelligence agencies have not reached a final assessment of who performed the hack - called "attribution" in the world of cyber security - a range of firms brought in to assess the damage quickly saw computer code and patterns familiar to operations by Chinese actors.

The Marriott database contains not only credit card information but also passport data. Ms Lisa Monaco, the former White House homeland security adviser, noted at a conference last week that passport information would be particularly valuable in tracking who is crossing borders, what they look like, and other key data.

But officials on Tuesday said it was only part of an aggressive operation whose centrepiece was the 2014 hack into the Office of Personnel Management.

At the time, the government bureau loosely guarded the detailed forms that Americans fill out to get security clearances - forms that contain detailed financial data, information about spouses, children, past romantic relationships, and any meetings with foreigners.

Such information is exactly what the Chinese use to root out spies, recruit intelligence agents and build a rich repository of Americans' personal data for future targeting. With those details and more that were stolen from insurers like Anthem, the Marriott data adds another critical element to the intelligence profile: Travel habits.

Mr James A. Lewis, a cyber-security expert at the Centre for Strategic Studies in Washington, said the Chinese have collected "huge pots of data" to feed a Ministry of State Security database seeking to identify American spies - and the Chinese people talking to them.

"Big data is the new wave for counterintelligence," Mr Lewis said.

"It's Big Data hoovering," said Mr Dmitri Alperovitch, the chief technology officer at CrowdStrike, who first highlighted Chinese hacking as a threat researcher in 2011. "This data is all going back to a data lake that can be used for counterintelligence, recruiting new assets, anti-corruption campaigns or future targeting of individuals or organisations."

In the Marriott case, Chinese spies stole passport numbers for up to 327 million people - many of whom stayed at Sheraton Hotels, Westin and W Hotels and other Starwood brands. But Marriott has not said if it would pay to replace those passports, an undertaking that would cost tens of billions of dollars.

Instead, Ms Kim, the Marriott spokeswoman, said the hotel chain would cover the cost of replacement if "fraud has taken place". That means the company would not cover the cost of having exposed private data to the Chinese intelligence agencies if they did not use it to conduct commercial transactions - even though that is a breach of privacy and, perhaps, security.

And even for those guests who did not have passport information on file with the hotel, their phone numbers, birth dates and itineraries remain vulnerable.

That data, Mr Lewis and others said, can be used to track which Chinese citizens visited the same city, or hotel, as an American intelligence agent who was identified in data taken from the Office of Personnel Management or American health insurers that document patients' medical histories and Social Security numbers.

The effort to amass Americans' personal information so alarmed government officials that in 2016, the Obama administration threatened to block a US$14 billion bid by China's Anbang Insurance Group Co to acquire Starwood Hotel & Resorts Worldwide, according to one former official familiar with the work of the Committee on Foreign Investments in the US, a secretive government body that reviews foreign acquisitions.

Ultimately, the failed bid cleared the way for Marriott Hotels to acquire Starwood for US$13.6 billion later that year, becoming the world's largest hotel chain.

As it turned out, it was too late: Starwood's data had already been stolen by Chinese state hackers, though the breach was not discovered until this past summer, and disclosed by Marriott on Nov 30.

It is unclear that any kind of trade agreement reached with China by the Trump administration can address this kind of theft.

The Chinese regard intrusions into hotel chain databases as a standard kind of espionage. So does the US, which has often seized guest data from foreign hotels.

"One thing is very clear to me, and it is that they are not going to stop this," Mr Alperovitch said. "This is what any nation state intelligence agency would do. No nation state is going to handcuff themselves and say 'You can't do this,' because they all engage in similar detection."

Since 2012, analysts at the National Security Agency and its British counterpart, the GCHQ, have watched with growing alarm as sophisticated Chinese hackers, based in the Chinese city of Tianjin, began switching targets from companies and government agencies in the defence, energy and aerospace sectors, to organisations that housed troves of Americans' personal information.

At the time, one classified National Security Agency report noted that the hackers' "exact affiliation with Chinese government entities is not known, but their activities indicate a probable intelligence requirement feed" from China's Ministry of State Security, the country's Communist-controlled civilian spy agency.