Marriott International has disclosed that the guest reservation database of its Starwood division has been breached, affecting as many as 500 million guests. The company has also confirmed that there has been unauthorized access to the Starwood network since 2014.
According to a report from the BBC, for roughly 327 million guests, the attacker was able to access personally identifiable information including a combination of name, address, phone number, email address, passport number, account information, date of birth, and gender. In some cases, the compromised records also included encrypted credit card information. The company is still trying to determine whether or not the encryption keys have also been stolen.
In a statement, Marriott said that on Sept. 8 of this year, it received an alert from an internal security tool that an unauthorized user had attempted to access the Starwood database in the US. An investigation into the incident confirmed that an attacker had indeed copied and encrypted the information. Marriott was able to decrypt the information to confirm that the contents were from the Starwood guest reservation database.
While it is still unclear how the attackers penetrated the organization, Chris Wysopal, co-founder & CTO of Veracode, said that the breach could have gone undetected on the network for so long because attackers are getting better at making sure their attacks don’t contain indicators of compromise (IoC).
Marriott bought Starwood - which owns brands including the W Hotels, Sheraton, Le Méridien, and Four Points by Sheraton - in 2016 to create the largest hotel chain in the world. Marriott-branded hotels use a separate reservation system on a different network.
The incident has been reported to both law enforcement and regulatory authorities, and the UK's data regulator is investigating. While Marriott is headquartered in the US, it works with and hosts European citizens, so it must ensure that it meets GDPR compliance. It’s anticipated that Marriott International will receive a substantial penalty because of the size and scale of the breach. Wysopal said that given that this is one of the first major breaches under both GDPR and the new California Consumer Privacy Act, “it will be a bellwether for breaches to come.”
“On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade,” Wysopal told AP in an interview.
Marriott is emailing guests affected by the breach and will not send emails with any attachments. Additionally, the company is offering its guests a free membership to WebWatcher, a personal information monitoring service, and is instructing guests to watch their loyalty accounts, change their passwords, and check credit card statements for unauthorized activities. An informational website and call center have also been set up to support guests during the investigation.