Marriott reveals massive database breach affecting millions of Starwood hotel guests


Marriott is revealing a massive database breach today, affecting up to 500 million guests of its Starwood hotels the company first acquired in 2016. A security investigation has concluded that there was “unauthorized access” to a database holding hotel guest records. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014,” says a statement from the company. The Starwood security breach affects a number of branded hotels owned by Marriott, including W Hotels, Sheraton, St. Regis, Westin, and more.

The breach includes 327 million records of “some combination” of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Marriott isn’t providing an exact number, but “some” hotel guests will have had their payment card information leaked. Marriott did encrypt this information using Advanced Encryption Standard encryption (AES-128), but the company notes both components needed to decrypt payment card numbers may have been stolen

Database breaches are far too common, but it’s unusual to hear a large company not detect unauthorized access to its network and key customer database for a period of four years. Marriott’s carefully worded statement doesn’t identify who obtained access and how. That’s particularly troubling, as if this wasn’t a hack or full security breach then it could have been sloppy security that let anyone access this information and clone the database. That’s backed up by the fact Marriott reveals it discovered the database breach through a copied and encrypted version. Whether this copy is public, or for sale on the dark web, remains vague. There are also signs Marriott could have been breached in the past.

“We deeply regret this incident happened,” says Marriott CEO Arne Sorenson. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Marriott has reported this breach to law enforcement, and has begun notifying regulators. The company has also set up a dedicated website and call center, and is notifying affected guests by email — including in the U.S., Canada, and the U.K. Marriott is also offering free access to WebWatcher to help protect against identity fraud.

Given that the breach falls under the European-wide GDPR rules, Starwood may face significant financial penalties of up to four percent of its global annual revenue if found to be in breach of the rules.

Marriott’s (MAR) stock is plunging on the news, falling nearly 6% in pre-market trading.


*This article was originally posted by Tom Warren for The Verge on Nov. 30, 2018, and can be found here.

Pulling the plug doesn't have to be your only security solution.

Don’t become part of a rising statistic — ensure your company is armed against a security hack.