US hotel chain Marriott has admitted that a breach of its Starwood subsidiary's guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever.
"On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States," said the firm in a statement issued this morning. "Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014."
Around 327 million of those guest bookings included customers' "name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ('SPG') account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences."
For an unspecified number, encrypted card numbers and expiration dates were also included, though Marriott insisted there was AES-128 grade encryption on these details, saying: "There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken."
This could be read as a reference to a compromise of the decryption keys though no further detail was supplied. We have contacted Marriott to double-check and will update this article if we hear back from them.
Having identified the breach, on 19 November Marriott and its investigators found an encrypted database online in an unspecified location. After decrypting it, they discovered a full copy of the entire Starwood guest reservation database.
Affected hotel brands include:
- W Hotels
- St. Regis
- Sheraton Hotels & Resorts
- Westin Hotels & Resorts
- Element Hotels
- Aloft Hotels
- The Luxury Collection
- Tribute Portfolio
- Le Méridien Hotels & Resorts
- Four Points by Sheraton
- Design Hotels that participate in the Starwood Preferred Guest (SPG) program
- Starwood branded timeshare properties
Arne Sorenson, Marriott’s prez and chief exec, said in a canned statement he “deeply regrets” this incident took place, adding that the company has set up a “dedicated website and call centre”.
Law enforcement in the US has been notified. The hotel chain is emailing customers now to inform them.
That customer information website is here (its info.starwoodhotels.com URL resolves to the domain of security firm Kroll) and it includes an offer to enrol affected customers into the Webwatcher personal info breach monitoring system. Those emails, said the firm, will come from the address
firstname.lastname@example.org and "will not contain any attachments or request any information from you, and any links will only bring you back to this webpage".
Affected or potentially affected customers are being warned to change their passwords and not use easily guessed ones.
Few hacks of individual firm's customer data have come close to the scale of this one. The Yahoo! breach in 2013 saw three billion email accounts breached, while Carphone Dixons, the UK electronics retail chain, managed to lose control of 5.9 million sets of payment card data. In the US, the US Government Office for Personnel Management (which handles sensitive files on millions of government workers) had the personal data of 21 million employees' breached by hackers. ®