Marriott International has been investigating a hack involving unauthorized access to the guest reservation database at its Starwood unit since 2014, in what may be one of the biggest such data breaches.
The hack affects some 500 million guests, and for about 327 million of them, the data included passport numbers, emails, and mailing addresses, Marriott said. The data breach involved information mined from the database for Starwood properties, which include Sheraton, Westin and St. Regis hotels, among others. An unauthorized party had accessed the database.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s chief executive, said in a news release. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
“The breach is so big that the company may face a large fine from the authorities and the market is factoring that in,” said Juan Jose Fernandez Figares, chief analyst at Link Securities in Madrid. “This is yet another company that has been hit by a hacking and a reminder to any company that manages customers’ personal data that they need to work harder to protect them from future attacks.”
The hotel chain has set up a website and call center to answer questions at info.starwood.com, and it is emailing affected guests beginning Friday.
News of the breach sparked questions among cyber-security experts about whether the hackers were criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide, including possible diplomats, business people or intelligence officials as they moved around the globe. Hotel chains, with their vast customer databases and proprietary WiFi networks, likely make appealing targets.
Regulators and consumers have been stepping up their action against companies that have suffered security breaches as such attacks have increasingly become more severe. Target Corp. last year agreed to pay $18.5 million to settle investigations by dozens of states over a 2013 hack of its database in which the personal information of millions of customers was stolen, while Equifax is facing billion-dollar lawsuits and a regulatory investigation.
For most customers of Marriott properties, the likeliest risk from the breach is identity theft. Such detailed personal information would make it easier for criminals to impersonate others for the purpose of conducting banking transactions, applying for government benefits or even seeking to enter secure facilities that require official identification, such as passports.
The breach came to light on September 8 when “an internal security tool” alerted Marriott to an attempt to hack the Starwood database in the US.
During a subsequent investigation, the company learned that the breach had been ongoing since 2014. On November 19, Marriott “was able to decrypt the information and determined that the contents were from the Starwood guest reservation database”.
Marriott reported the incident to law enforcement and started notifying regulatory authorities.
The company also set up a website and call center for those who think they may have been affected. On Friday, Marriott will begin sending emails to those identified.
New York Attorney General Barbara Underwood said her office opened an investigation into the incident.
Ref. MSN/Bloomberg, washington post.com, aljazeera.com, NBC News
Photo courtesy of Bing via eventsvenue.com