Marriott Admits Massive Data Breach of 500 Million Starwood Resort Guests
Marriott, one of the world’s largest resort and hotel complexes, said its reservations system was recently hacked. Over 500 million guests had their personal information exposed, the company noted.
The hack largely affects one reservation database: Starwood Group. Those hotels include popular brands like the St. Regis, Westin, Sheraton, and W Hotels.
Hotel security was first alerted of the issue on September 8 of this year. However, there had been unauthorized breaches since 2014.
“Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014,” the company said in a statement.
“Marriott quickly engaged leading security experts to help determine what occurred. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.
On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”
The information potentially compromised includes names, phone numbers, email addresses, passport data, date of birth, and arrival/departure details.
Millions had their credit card information and card expiration dates exposed.
The company cannot confirm or deny hackers being able to decrypt the card information.
CEO Arne Sorenson made a statement to the media: “We fell short of what our guests deserve and what we expect of ourselves.
We are doing everything we can to support our guests and using lessons learned to be better moving forward.”
Marriott told the public it moved swiftly to stop the hacking.
“From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts," the company wrote on its website.
"Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center.
We are supporting the efforts of law enforcement and working with leading security experts to improve.
Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."
Several security experts noted this breach marks one of the largest corporate hacks in history.
Luckily, it didn’t come anywhere near Yahoo’s 3 billion account breach in 2017. Uber also lost data for over 57 million of its customers.
"What makes this serious is the number of people involved, the intimacy of the data that was taken and the long delay between the breach and discovery," said Mark Rasch, a former U.S. federal cyber crimes prosecutor, in an interview with Reuters.
Marriott could face penalties from the United Kingdom and the European Union for failing General Data Protection Regulation standards.
Anyone concerned that their data might be part of what has been exposed should visit Marriott’s separate page explaining the issue and further steps they should take.
Interesting Engineering will continue monitoring this story and updating it as more information becomes available.