Marriott says data for up to 500 million customers compromised in breach

Nov. 30, 2018

Marriott International Inc.  said it is investigating a massive data breach that has compromised the personal information of up to 500 million customers of its parent company, Starwood Hotels, in a press release. The breach is one of the largest in U.S. history, 

The hotel chain said that for more than 327 million guests, the compromised data includes their names, mailing addresses, phone numbers, emails, passport numbers, Starwood Preferred Guest accounts, birth dates, gender, arrival and departure information, reservation date and communication preferences.

Some guests may have had their credit card data compromised, but the company said it used Advanced Encryption Standards (AES-128) to encrypt the card information. Marriott said two components are needed to decrypt that information, but it cannot rule out some of the data was compromised.

"We deeply regret this incident happened," Arne Sorenson, president and chief executive of Marriott, said in the announcement. "We fell short of what our guests deserve and what we expect of ourselves."

Marriott said on Sept. 8 an internal security tool indicated an attempt to access the reservations system. The company brought in security experts and determined that there was unauthorized access to the system since 2014, and that the attackers copied and encrypted data and tried to remove it from the system.

Marriott said an investigation launched Nov. 19 discovered that the information involved reservations at Starwood Hotels on or before Sept. 10, 2018.  

The company has notified law enforcement and has begun to inform regulators, and filed a copy of the press release and other information on form 8-K with the Securities and Exchange Commission.

New York Attorney General Barbara Underwood said in a tweet that her office is investigating the incident. FBI officials said they are monitoring the situation. 

"The FBI is aware of the reporting and tracking the situation as appropriate," an FBI spokesperson told Mobile Payments Today via email. "Individuals contacted by the company should take steps to monitor and safeguard their personally identifiable information and report any suspected incidences of identity theft to the FBI's Internet Crime Complaint Center at www.ic3.gov. 

Symantec, the cybersecurity firm behind Norton Utilities, warned consumers to be wary of emails purporting to contact them about the breach, as phishing attacks tend to go up after large breaches. A spokesperson for the company also warned about websites that claim to help people track if their identity has been compromised. 

A website, info.StarwoodHotels.com, has been set up to provide additional information. The company also plans to begin notifying guests on a rolling basis immediately based on the emails in the Starwood database.

The company is offering guests free enrollment in WebWatcher.com, a service that monitors whether information on sites has been compromised. Guests who enroll will get fraud consultation and reimbursement coverage, the company said.

Marriott completed the acquisition of Starwood in 2016. Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, Le Meridien and others. Marriott has a total of 6,700 hotel rooms under various brands in 129 different countries.

Topics: Loyalty Programs, Security

Companies: Marriott International

Sponsored Links:

Related Content

Latest Content