Marriott had claimed for over five years that it used a high level of encryption (AES-128) during the 2018 breach, only to reveal during a court case in April 2024 that it had actually been using a less secure hashing mechanism (SHA-1) and not encryption at all. Despite initially defending their use of AES-128, Marriott admitted in a hearing that they had never implemented it. The court ordered Marriott to correct the misinformation on its website within seven days
This revelation raises serious questions about why Marriott made the false encryption claim, how independent firms conducting forensic investigations failed to notice the absence of encryption, and when Marriott discovered the truth. This misinformation could have far-reaching consequences, including potential breaches of contracts with insurers, SEC issues, and impacts on stock prices. The technical disparity between AES-128 and SHA-1, highlighted by experts, suggests that the lack of encryption could have been easily detected during system integration. Plaintiffs' counsel argued that the misidentification by Marriott impeded fraud detection efforts and potentially resulted in lost information regarding payment card data. While Marriott downplayed the seriousness of the issue, the revelation has significant implications for the ongoing litigation and Marriott's data security practices. https://www.csoonline.com/article/2096365/marriott-admits-it-falsely-claimed-for-five-years-it-was-using-encryption-during-2018-breach.html