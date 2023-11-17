A hacker breached the network of Marriott contractors as he attempted to gain access to the hotel giant’s customer database. Marriott denied that its systems were compromised. (Photo illustration by Miguel Candela/SOPA Images/LightRocket via Getty Images) LightRocket via Getty Images

A hacker told the FBI earlier this year that he sold access to personal data of Marriott hotel customers on a Russian platform, according to a search warrant. forbes, Justice Department investigators alleged that he also hacked several US state death certificate registration agencies in an attempt to fake his death.

The defendant, Jesse Keefe of Somerset, Kentucky, was charged last month with hacking the employee accounts of two Marriott contractors earlier this year: Canadian hotel internet services provider GuestTech and online marketing specialist Milestone. Investigators claimed that with access to its internal network, Kipff said he was able to view Marriott’s personal customer information and evidence showed he posted data on a Russia-based online forum known as Exploit.in. Access was sold.

Neither Marriott nor its contractors publicly disclosed the violations. Marriott spokeswoman Lisa Ravenscroft said the company’s own systems were not hacked and it was deemed “there was no impact to customer data.” Neither GuestTech nor Milestone had responded to requests for comment at the time of publication.

The Justice Department unsealed the indictment against Kipff earlier this month, charging him with identity theft and hacking into the GuestTech, Milestone and death certificate systems operated by the states of Arizona, Hawaii and Vermont. His lawyer did not respond to requests for comment at the time of publication.

The DOJ says it found more than 20 of the defendant’s driver’s licenses after the FBI raided his home. He had faked his death by registering his death in Hawaii and Vermont. Justice Department

The DOJ did not specify how Marriott customer data was affected by the breaches, although it claimed that Keefe had previously sold Social Security numbers and identification information online. Marriott has been the victim of several major breaches in recent years, most significantly in 2018 when data of over 500 million customers was compromised.

According to warrants, Kipf was caught in January after using his personal IP address to access the Hawaii State Department of Health computer system on which he registered his death certificate. It is alleged that he also sold access to Air Department systems on Exploit.in.

Keefe was arrested in July. The DOJ said that in an interview Kipf admitted to hacking death records systems in Arizona, Connecticut, Hawaii, Tennessee and Vermont, claiming in all cases but Hawaii he was testing how easily the servers could be hacked. Can be broken into.

However, Vermont officials later told the FBI that they had a death record for Kimf, which was created in May 2023. A spokesperson for the Vermont Department of Health said forbes He believed that no data was accessed.

The DOJ did not say how Kipf used his access to the internal systems of other health departments. The Arizona agency declined to comment. Other state departments responsible for death records had not responded to requests for comment at the time of publication. Hawaii had previously publicly confirmed the breach.

In the same DOJ interview, Kipf said he had been unemployed for five years and was selling personal information to people around the world, including Algeria, Ukraine, and Russia. He said that a few months before the interview, he had accessed Marriott’s customer relationship management system and sold that access to the Russians, although he did not provide further information about his identity, according to the warrant.

He then claimed that he “has access to all Marriott hotels around the world, their websites and backends,” adding that the Indian developers hired by the hospitality giant have “terrible habits and they use the same passwords.” Let’s reuse.” Marriott later told the FBI that they had observed an IP address of executives associated with Kipf, who was “attempting to access, view, and extract data from Marriott Internet domains and internal servers from February 9, 2023, through May 22, 2023, ” A total of 1,423 times.

“We investigated this matter earlier this year before being contacted by the FBI and then cooperated fully with the FBI’s investigation,” Marriott spokesperson Ravenscroft said in an emailed statement. “Based on our investigation and engagement with vendors, there was no breach of Marriott’s systems and we understand there was no impact to Marriott customer information.” He added: “Any claims that Marriott data or systems were compromised are false.”

“Kipf obtained the username and password of a GuestTech project manager who had administrator and global access to all of GuestTech’s current and past customers.” Department of Justice

The DOJ presented no evidence that Marriott’s own servers were hacked. However, one victim was GuestTech, which provides communications services to many Marriott hotels around the world, the DOJ said. In February, the FBI believes Kipf obtained the username and password of a GuestTech project manager who “had administrator and global access to all current and past customers of GuestTech,” according to the warrant.

Later, in June, an IP address associated with Kipf was used to gain access to two employee accounts of Milestone, a marketing company that helped Marriott run many of its websites. The FBI said usernames and passwords of two Milestone developers based in India were compromised. According to the search warrant, this gave the hacker access to the backend system that manages the customer interface for booking Marriott services.

The breaches could impact more hotel chains than Marriott. In a filing earlier this month, the Justice Department noted that GuestTech and Milestone had various customers in the hospitality industry and that “some of the networks breached by the defendants included personal information of customers of those major hotel chains.” The department said its investigation revealed “potentially thousands of people whose personal identifying information may have been available to Kipf or its customers.”

In February, around the same time as the GuestTech breach, an individual using the online alias “FreeRadical” was offering “network admin access to 3.9 thousand hotels worldwide” on exploit.in, the DOJ said. The same individual, whom the FBI believes to be Kipf, was later found to be selling over 1,000 Social Security numbers of Americans under the age of 18 and over 150,000 Social Security numbers of other US citizens. The same freeradical alias was used in January to sell access to US death registration systems and posted a redacted death certificate document as evidence of the breach. The Hawaii Department of Health was later able to identify an unpublished version of that document, discovering that it was Keefe’s own death certificate.

After being released on bail, the FBI suspects he continued hacking. The agency says the same IP address as the previous hack was used to breach Origin Physical Therapy, which provides healthcare services to 40 million women. (Origin did not respond to a request for comment at the time of publication.) The FBI says he allegedly used that access to send “political and extremely offensive language” to the healthcare company’s customers. The FBI alleged that one of Kipf’s other online aliases was seen offering “California USA credit cards in large quantities” on a hacker forum.

When police searched Kipf’s home, they found 22 driver’s licenses from countless states from Kentucky to Idaho, all with his photo on them. Federal investigators also learned that he had purchased five Canadian Gold Maple Leaf coins, each worth more than $2,000. It is unclear how or why Kipf attempted to fake his death, although avoiding law enforcement is a possible explanation.