Marriott announced that it recently detected and addressed a security incident involving the Starwood guest reservation database.
On 30 November, Marriott revealed that an internal investigation had found evidence of unauthorized access to the database containing guests’ reservation information at Sheraton hotels and other Starwood properties on or before 10 September 2018.
The American multinational hospitality company, which purchased Starwood in 2016, launched its investigation after a security tool detected an attempt by an unknown party to access the database on 8 September 2018. Marriott responded by hiring security experts to help determine what happened.
As a result of the review, Marriott learned that unauthorized individuals had been accessing Starwood’s network since at least 2014. It also found out that bad actors had copied and encrypted information before attempting to remove it. The hospitality company decrypted this information on 19 November 2018 and then learned that it had originated from the Starwood guest reservation database.
Based on its initial assessment, Marriott said it believes the database contains as many as 500 million guests’ information. That includes the date of birth, passport number and reservation details for 327 million customers.
The database also contained some customers’ payment card details protected by AES-128, Marriot learned. At this time, the hospitality company hasn’t ruled out the possibility that digital attackers stole the means to decrypt this information.
Marriott said it reported this incident to law enforcement and has begun notifying regulatory authorities.
Tim Erlin, VP of Product Management & Strategy at Tripwire, said that Marriott could face regulatory penalties for the security event:
There’s a high likelihood that this breach affects residents of the EU, and will have GDPR implications for Marriott.
Right now we’re at the front end of the breach response process, but we should expect that there’s much more to learn about this incident. It’s not unusual for the scope of a breach to expand after the initial disclosure. It’s extremely unusual to have discovered the full extent before public announcement is made.
At this point, consumers need to practice constant vigilance against fraud and identity theft. The amount of data that’s been compromised in the recent past means that your data is likely out there somewhere.
In the meantime, Arne Sorenson, Marriott’s President and Chief Executive Officer, said the company as a whole “fell short of what our guests deserve and what we expect of ourselves.” As quoted in a news release:
Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.
News of this breach follows approximately three years after Starwood Hotel & Resorts announced that point-of-sale (PoS) systems at more than 50 of its locations in North America had been compromised.