Marriott Declares 500 Million-Record Breach of Starwood Hotel Guests’ Data

Dec 2, 2018

 

The Marriott hotel chain has declared it has experienced a huge data breach that has led to the theft of the private information of up to 500 million visitors of the Starwood Hotels and Resorts group.

Marriott found the data breach on September 8, 2018 after a warning was generated by its internal safety system after an attempt by an illegal person to access the Starwood visitor reservation database. Third-party computer forensics specialists were called in to help with the probe, which verified that the Starwood network was first gained in 2014. It is presently unclear how the hacker breached safety fortifications and gained access to the network.

The hacker had encrypted data on the network which hindered efforts to probe the breach and decide what data had been accessed. It took until November 19, 2018 for Marriott to decrypt the data and decide what the files had. Only then was Marriott able to verify that the database had information on earlier Starwood Hotels’ visitors.

Examining such a gigantic database to decide which clients have had their information undermined has obviously taken some time. Marriott is still in the process of deduplicating the database to define the exact number of visitors impacted.

Marriott thinks up to 500 million people who had earlier made a booking at Starwood Hotels and Resorts have been affected. They also include people who made bookings at Sheraton Hotels & Resorts, Tribute Portfolio, The Luxury Collection, Aloft Hotels, Westin Hotels & Resorts, Four Points by Sheraton, Element Hotels, Le Méridien Hotels & Resorts, W Hotels, St. Regis, Design Hotels that are part of the Starwood Preferred Guest program, and its Starwood branded timeshare properties.

The kinds of data present in the stolen database contain the names of visitors, mailing addresses, electronic mail addresses, and other information. About 327 million past visitors might also have had the following information stolen: SPG account information, birth date, arrival date, reservation date, departure date, gender, their communication preferences, and possibly, their passport number.

Marriott has not yet verified whether the hacker stole payment card information. Payment card data were encrypted with the AES-128 algorithm, however, the two bits of information that would let the data to be decrypted might also have been stolen.

The data breach, which happened two years before Marriott bought the Starwood Hotels and Resorts Group, has been reported to law enforcement. Marriott is presently working with prominent safety companies to improve safety and avoid any more data breaches.

Marriott is in the process of informing all affected people by electronic mail. All breach sufferers have been offered free registration in WebWatcher for one year. WebWatcher monitors the Internet for occurrences of user information being shared and issues warnings. U.S. visitors are also being offered scam consultation facilities and reimbursement coverage.

Since electronic mail addresses have been stolen, breach sufferers have been advised to be watchful for phishing attacks that try to get confidential information. All official communications are coming from the starwoodhotels@email-marriott.com, even though care must still be taken with any electronic mails that seem to have been sent from that electronic mail address as sender field might be spoofed.