International hotel chain Marriott announced today a security breach during which the personal details of 500 million hotel guests was stolen.

The breach happened in 2014, but Marriott says it became aware of it on September 10, two days after its staff spotted an alert from an internal security tool about an attempt to access the Starwood guest reservation database in the United States.

The hotel chain says it worked with leading security experts to investigate the alert. Investigators discovered the intrusion, dating back to 2014, but also that an unauthorized party had copied and encrypted information, and took steps towards removing it.

Marriott said forensic experts managed to decrypt the data attackers stole from the Starwood guest reservation database earlier this month, on November 19.

They said the attackers exfiltrated information on up to approximately 500 million guests who made a reservation at a Starwood property.

The Starwood hotel chain, which Marriott acquired in 2016, includes other hotel brands, such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.

Investigators said that for 327 million of the Starwood guests, the information that attackers stole included a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

For some of these guests, payment card data was also stolen, but Marriott did not say for how many.

“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128),” the hotel said today in an SEC filing.

“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” the hotel chain added.

For the rest, up to 500 million, the data only included a name, and sometimes other info such as mailing address, email address, or other information.

Marriott started today notifying all affected guests via email. Hotel guests will also be able to visit a website that will be available later today at for information about the incident. Where eligible, some users will also be able to enroll in a free identity monitoring service.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President and Chief Executive Officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,” Sorenson added.

This is the third breach affecting Marriott’s Starwood chain after the infections with Point-of-Sale (PoS) malware disclosed in 2015 and again in 2016.


via Marriott announces data breach affecting 500 million hotel guests | ZDNet

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This