Marriott has announced that it has suffered a massive data breach after attackers hacked its guest reservation system at Starwood hotels, a group of hotels the company took over in 2016 – These hotels include Sheraton, St. Regis, Westin and W Hotels.
The breach was discovered last week after Marriott’s internal security tool alerted the company regarding an attempt to access the Starwood guest reservation database in the United States. Upon investigating, it was concluded that there was unauthorized access to the database containing guest information related to Starwood properties’ reservations since 2014.
“The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it,” Marriott said.
The total number of affected guests is 500 million out of which 327 million records of “some combination” of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences have been stolen.
For some guests, the exposed information includes payment card numbers and their expiration dates. The company claims that the stolen payment card numbers were encrypted with Advanced Encryption Standard encryption (AES-128) however, it is unclear if hackers were able to decrypt the card data or not.
“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President, and Chief Executive Officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott is offering guests free membership to WebWatcher, a computer and mobile device monitoring software. The company is also urging guests to keep an eye on their payment card transactions and change the password for their account on the hotel’s website.
“With the data of approximately half a billion customers breached, this is the largest exposure of traveler data ever. It’s indicative that the attackers either moved quicker to exfiltrate data from the target systems or they had more time before they were detected. Attacks like the one against British Airways and Cathay Pacific earlier this year demonstrate that the Travel and Hospitality industries are an attractive target, Rusty Carter, VP, Product Management at Arxan told HackRead.
According to Andy Norton, Director of Threat Intelligence at leading AI-powered network security provider Lastline:
“It seems like Marriott doesn’t actually know which accounts have been compromised, and they are asking consumers to self-certify that they may be impacted to get access to 12 months of identity monitoring services. Consumers should take advantage of the offer of free monitoring, and if they do have an account or have registered with Starwood.”
Norton fears that the stolen data could be monetized in a number of ways. “Firstly, simply booking rooms with any rewards earned, or buying things with points, exchanging for gift cards in a popular method. Secondly, the data could be tested against other sites. Like we saw with Dunkin’ Donuts yesterday, the consumers are more vulnerable to fraud and scams because a fraudster has private information which can be used against them,” said Norton.
Marriot breach came just days after Dell reset passwords for all Dell.com customers due to a security breach on November 9th. However, worse for Marriot is about to come in the shape of outrage and GDPR fine.