The Marriott hotel chain has announced it has suffered a massive data breach that has resulted in the theft of the personal information of up to 500 million guests of the Starwood Hotels and Resorts group.
Marriott discovered the data breach on September 8, 2018, after an alert was generated by its internal security system following an attempt by an unauthorized individual to access the Starwood guest reservation database. Third-party computer forensics experts were called in to assist with the investigation, which confirmed that to the Starwood network was first gained in 2014. It is currently unclear how the hacker breached security defenses and gained access to the network.
The hacker had encrypted data on the network which hampered efforts to investigate the breach and determine what data had been accessed. It took until November 19, 2018, for Marriott to decrypt the data and determine what the files contained. Only then was Marriott able to confirm that the database contained information on previous Starwood Hotels guests.
Analyzing such a huge database to determine which customers have had their information compromised has naturally taken some time. Marriott is still in the process of deduplicating the database to determine the exact number of guests impacted.
Marriott believes up to 500 million individuals who had previously made a reservation at Starwood Hotels and Resorts have been affected. They also include individuals who made reservations at Sheraton Hotels & Resorts, Four Points by Sheraton, Element Hotels, Le Méridien Hotels & Resorts, W Hotels, St. Regis, Westin Hotels & Resorts, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Design Hotels that are part of the Starwood Preferred Guest program, and its Starwood branded timeshare properties.
The types of data present in the stolen database include the names of guests, mailing addresses, email addresses, and other information. Around 327 million past guests may also have had the following information stolen: SPG account information, birth date, gender, reservation date, arrival date, departure date, their communication preferences, and potentially, their passport number.
Marriott has not yet confirmed whether the hacker stole payment card information. Payment card data were encrypted with the AES-128 algorithm, but the two bits of information that would allow the data to be decrypted may also have been stolen.
The data breach, which occurred two years before Marriott acquired the Starwood Hotels and Resorts Group, has been reported to law enforcement. Marriott is currently working with leading security firms to improve security and prevent any further data breaches.
Marriott is in the process of notifying all affected individuals by email. All breach victims have been offered free enrolment in WebWatcher for one year. WebWatcher monitors the Internet for instances of user information being shared and issues alerts. U.S. guests are also being offered fraud consultation services and reimbursement coverage.
Since email addresses have been stolen, breach victims have been warned to be alert for phishing attacks that attempt to obtain sensitive information. All official communications are coming from the firstname.lastname@example.org, although care should still be taken with any emails that appear to have been sent from that email address as sender field could be spoofed.