News

Millions of customers potentially compromised by Marriott data breach

December 1, 2018

Marriott International Inc. is investigating a massive data breach that has potentially compromised personal data of up to 500 million customers of its parent company, Starwood Hotels.

The hotel chain said the data includes names, mailing addresses, phone numbers, emails, passport numbers, Starwood Preferred Guest accounts, birth dates, gender, arrival and departure information, reservation date and communication preferences for more than 327 million guests, according to a press release.

Some guests may have had credit card data compromised, but the company said it used Advanced Encryption Standards (AES-128) to encrypt card information. Marriott said two components are needed to decrypt that information, but it cannot rule out some of the data was compromised.

"We deeply regret this incident happened," Arne Sorenson, president and chief executive of Marriott, said in the release. "We fell short of what our guests deserve and what we expect of ourselves."

Marriott said an internal security tool indicated on Sept. 8 an attempt to access the reservations system. The company brought in security experts and determined there was unauthorized access to the system since 2014, and that attackers copied and encrypted data and tried to remove it from the system.

Marriott said an investigation launched Nov. 19 discovered the information involved reservations at Starwood Hotels on or before Sept. 10, 2018.  

The company notified law enforcement and has begun to inform regulators, and filed a copy of the press release and other information on form 8-K with the Securities and Exchange Commission.

New York Attorney General Barbara Underwood said in a tweet that her office is investigating the incident. FBI officials are monitoring the situation. 

"The FBI is aware of the reporting and tracking the situation as appropriate," an FBI spokesperson told Mobile Payments Today via email. "Individuals contacted by the company should take steps to monitor and safeguard their personally identifiable information and report any suspected incidences of identity theft to the FBI's Internet Crime Complaint Center at www.ic3.gov. 

Symantec, the cybersecurity firm behind Norton Utilities, warned consumers to be wary of emails purporting to contact them about the breach, as phishing attacks tend to go up after large breaches. A spokesperson for the company also warned about websites that claim to help people track if their identity has been compromised. 

A website, info.StarwoodHotels.com, has been set up to provide additional information. The company also plans to begin notifying guests on a rolling basis immediately based on the emails in the Starwood database.

The company is offering guests free enrollment in WebWatcher.com, a service that monitors whether information on sites has been compromised. Guests who enroll will get fraud consultation and reimbursement coverage, the company said.

Marriott completed the acquisition of Starwood in 2016. Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, Le Meridien and others. Marriott has a total of 6,700 hotel rooms under various brands in 129 different countries.