Marriott International early Friday morning disclosed a massive breach of customer data in the Starwood guest reservation database. An investigation launched by the company concluded early last week that there was unauthorized access to the database, which contains information on up to 500 million guests who made reservations at Starwood properties on or before Sept. 10, 2018.
According to the disclosure Marriott released on its website, there had been unauthorized access to the Starwood network since 2014 and the party involved copied and encrypted information in the database. An internal security tool didn’t alert Marriott to the issue until Sept. 8 of this year.
Of the 500 million guest reservations in the system, approximately 327 million included information on "some combination of" name, mailing address, phone number, passport number, email address, date of birth, gender, arrival and departure information, reservation date, communication preferences and Starwood Preferred Guest account information. Some of these also contain payment card information, including number and expiration dates, which were encrypted. "There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken," the statement added.
Marriott president and CEO Arne Sorenson said in a statement that the company "fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
Marriott has established a dedicated website and call center and will contact guests impacted by the breach beginning today. It is also offering impacted guests enrollment in identity protection services.
A number of attorneys general have said they've opened
investigations into the breach, including Massachusetts Attorney General Maura
Healey and New York State Attorney General Barbara Underwood, who tweeted
Friday morning: "New Yorkers deserve to know that
their personal information will be protected." The Baltimore Sun reported on
Friday afternoon that in Marriott's home state Maryland Attorney General Brian
Frosh also had opened an investigation into the breach, calling it "one of
the largest and most alarming we've seen."
Breaches, Mergers & Tech Migration
Back in late Nov. 2015, when Starwood Hotels & Resorts was still an independent, publicly traded company, Starwood disclosed that malware had been found on its point-of-sale systems at 54 North American hotels. At the time, Starwood said the breach compromised payment card information for cards used at POS systems in gift shops, bars and restaurants but that it did not impact the guest reservation system or Starwood Preferred Guest.
Whether the unauthorized access to Starwood’s reservation system Marriott is now disclosing is linked to that same breach disclosed in 2015 remains to be seen. However, it’s worth noting that the 2015 disclosure said the breach of POS systems began in 2014, the same year this reservation breach is said to have begun.
If the two breaches are connected, it sets up a troubling scenario for Marriott’s competitors as well. Following Starwood’s 2015 disclosure, competitors Hyatt Hotels Corp., Hilton and InterContinental Hotels Group disclosed their own POS system breaches.
Matt
Aldridge, a senior solutions architect at cybersecurity and threat intelligence
firm Webroot, said corporate defenses are "often relatively similar"
across an industry vertical. "Without question," Aldridge told BTN, "all other enterprises
in this space with any awareness will now be looking across their systems with
a new perspective and a greater fear of what could be lurking undetected in
their networks."
Marriott closed its acquisition of Starwood in September 2016. Since then, Marriott has been working to migrate Starwood’s business over to Marriott’s tech systems, a process that began with moving Starwood’s salesforce over to Marriott’s proprietary RFP system and most recently proceeded with the full merger of the SPG and Marriott Rewards programs onto a single platform on Aug. 18.