Comment: Marriott guest system hack shows the need for wider rollout of Apple Pay on the web

The Marriott International hotel group is the latest company to announce a large-scale hack of a customer database.

We have taken measures to investigate and address a data security incident involving the Starwood guest reservation database. The investigation has determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.

The company says that although credit card data was encrypted, it believes it possible that the hackers got the encryption keys too …

Author Ad Placeholder
Will only appear on redesign env.

For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.

As with many previous retailer hacks, exposed credit card information leaves customers open to fraudulent charges on their account.

Apple Pay offers protection against this type of hack, because actual card details are never passed to the company. Your iPhone, Watch or Mac instead generates a one-time code which is used in place of the card number. Once that transaction is completed, the code can never be reused.

Apple Pay can be used on the web, either from an iOS device or from a Mac. With a Mac equipped with Touch ID, you can do it directly on the Mac; with other models, you use your iPhone or Apple Watch to complete the purchase. Either way, it works the same way as an in-person transaction: only a one-time code is passed to the website.

But relatively few websites currently offer Apple Pay as a payment option, so for most online purchases – whether buying goods, booking a flight or reserving a hotel room – we have to hand over our card details. The growing number of hacks of retailer sites means we should all be pushing companies to accept Apple Pay, both online and offline, to reduce the risk.

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear