Happy weekend, Cyber Saturday readers.
I’m back stateside after a week-and-a-half stay in China, where I helped host Fortune‘s 2018 Global Tech Forum. I hope you understand the absence of last weekend’s dispatch; following the event, I took an impromptu vacation in Hong Kong. Thankfully, I did not stay at a Marriott hotel. Speaking of which.
As you have no doubt heard by now, Marriott disclosed a massive data breach that exposed up to 500 million customer records. Hackers accessed information in the company’s Starwood reservation system, which affected brands such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and other properties in the Starwood portfolio, the company said. The intrusion apparently began in 2014, two years before Marriott acquired Starwood. This oversight in the M&A process calls to mind another recent, post-acquisition hacker-surprise: Yahoo, whose two mega-breaches remained undetected when the company sold to Verizon last year. Coincidentally, Marriott’s hack is the biggest suffered by a corporation, second only to those at Yahoo.
After news of the Marriott breach came out, Sen. Charles E. Schumer (D-N.Y.) called on the hotel chain to foot the bill and replace people’s passports which were potentially compromised as part of the breach. Marriott quickly promised to cover the cost for as many as 327 million people whose passport numbers may have been exposed. At a fee of $110 per passport, that would put Marriott on the hook to pay up to $36 billion—a price tag equivalent to the value of the entire company, per its market capitalization. A devastating payout.
Here’s the thing though: While seemingly noble, Marriott’s promise is a bunch of baloney. The company said it will follow through on reimbursement only in instances where it “determine[s] that fraud has taken place.” What this caveat conveniently excludes is that Marriott’s hack likely had little to do with fraud and everything to do with espionage. In other words, if you’re a victim, don’t expect remuneration.
As Reuters reported, investigators believe the perpetrators of this attack were Chinese spies. The breach used tools, tactics, and procedures that matched Beijing’s style. The intrusion is said to have begun shortly after a breach of the government’s Office of Personnel Management, which government officials have attributed to China. The Starwood database represents a massive trove of potential intelligence: information on who is staying where, when—a bonanza for building up profiles of targets and tracking people of interest.
Geng Shuang, China’s Ministry of Foreign Affairs spokesperson, issued a statement saying the country “opposes all forms of cyber attack,” per Reuters. He said the country would investigate the claims, if offered evidence. Meanwhile, Connie Kim, a Marriott spokesperson, said “we’ve got nothing to share” about the Chinese attribution claim.
The Marriott breach—which took place quietly over years, as spies prefer—does not appear to have been a cybercriminal score. The passport payment pledge is probably bunk; nevertheless, if you think you might have been affected, it won’t hurt to follow these steps to refresh your cybersecurity hygiene and better protect yourself.
Have a great weekend.
Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.