United States infosec spooks went public and said the hack had similarities to the attacks on the Office of Personnel Management and insurance companies. These had been traced back to China.
The educated guess is that Chinese intelligence will use the information taken to identify and locate US military personnel and build profiles on them. Ditto to surveil Chinese nationals travelling overseas.
Personal information of many other nationalities was taken too, including New Zealanders. Marriott has sent out the email to Kiwi guests as well, promising free identity monitoring which, if it was the Chinese intelligence service who were behind the hack, won't be very useful unless the stolen info is detected in fraudulent use.
If you're a high-value target in NZ though and stayed at a Starwood hotel, future China travel might just be a little more nervous than in the past.
For Kiwis, the email's a bit of a joke. It refers people to US, European Union and Canadian privacy law and authorities but mentions no such things for New Zealanders.
No compensation is offered beyond the identity monitoring, which is just wrong. At the very least Marriott should offer to pay for new passports and other identity credentials for guests who had those details taken.
Having to wait for something bad to happen and then claim compo means the stolen data retains its value until it's used, and sits there like a ticking time bomb for people. Stolen personal information is used in increasingly creative fraud attempts.
From credentials stuffing to breaking into accounts, to impersonation, spamming, phishing, really ugly extortion — the list gets longer every month.
So many services and accounts have been compromised that I think it's time for Troy Hunt's excellent https://haveIbeenpwned.com ("owned" or hacked) site to be renamed to Youhavebeenpwned.com.
Troy's site lists almost 5.7 billion hacked accounts currently and that number continues to go up. Go and have a look if your account's listed in there.
Long story short, you will be hacked if you're not already.
Do we accept the fact and try to live with it, declare all-out war on hackers, or devise systems for user verification and access to information we wish to share without actually handing over any sensitive data?
My bet is that it'll be all three. Now if you'll excuse me I need to set up identity monitoring before something bad happens.