Hackers had access to part of Marriott International’s reservation system for four years, the hotel chain announced last week, compromising the private information of 500 million customers.
According to Marriott, the guest reservation database for its Starwood properties was exposed between 2014 and September 2018. Personal information for hundreds of millions of customers, including passport and possibly payment card numbers, was stolen in what The New York Times called the second largest theft of personal records after Yahoo’s breach in 2013.
Information stolen, according to Marriott, included names, mailing addresses, phone numbers, passport numbers, birthdates, and gender. It also included details on communication preferences, arrivals, departures, and reservations.
Payment card information was encrypted through two components, Marriott said, but its security investigators have “not been able to rule out the possibility that both were taken.”
Marriott said it began discovering the breach on Sept. 8, when a security network tool discovered an unauthorized attempt to access its guest reservation database. Its investigators later found that an unauthorized party had copied and encrypted information. On Nov. 19, Marriott determined the information was taken from its Starwood chain.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and CEO. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Though massive in scale, the Marriott breach is still smaller than Yahoo’s breach in 2013, which involved the data of 3 billion user accounts. Last year’s Equifax breach exposed the personal information of 150 million.
Cybersecurity experts are still looking for culprits.
“Usually when stolen data doesn’t appear [on the dark web], it’s a state actor collecting it for intelligence purposes,” James Lewis, a cybersecurity expert at the Center for Strategic Studies, told The Times.
Marriott is now facing several potential class action lawsuits. If citizens of the European Union were affected by the breach, it may also face hefty fines from the EU’s stricter rules for data protection passed earlier this year.
Senator Mark Warner of Virginia used the breach as a platform to promote new data legislation in the United States.
“We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need,” Warner said in a statement. “And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”
Consumers can go to Marriott’s Starwood website here or contact its call center, open seven days a week, to get more information. Marriott said it is emailing impacted customers on a rolling basis.
The blog “Krebs on Security” includes a deeper analysis of the scandal and advises consumers on how they can protect themselves. Potential victims of identity theft can report instances to the FBI’s Internet Crime Complaint Center here.
Image from Marriott.