Private details of as many as 500 million Marriott hotel guests could have been exposed in a major data breach affecting its Starwood guest reservation database.
The US-headquartered hotel group said that details were at risk due to a huge hack that had been going on since 2014.
Marriott began an investigation in September which found there was unauthorised access to the database “which contained guest information relating to reservations at Starwood properties on or before September 10, 2018”.
It added: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
A spokesman told the Daily Telegraph that the data breach affects UK customers as its hotels in the UK had also been breached.
The company has set up a website and call centre for anyone who thinks they may be at risk, and will begin sending emails to those affected.
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
Arne Sorenson, Marriott’s president and chief executive, said: “We deeply regret this incident happened.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre.
“We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.
“Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Adam French, Which? consumer rights expert, commented: “This data breach is on a colossal scale and it will be of great concern to Marriott customers. It is vital that Marriott provides clear information on what has happened and helps anyone who has been negatively impacted.
“Anyone worried they could be affected should consider changing their online passwords, monitor bank and other online accounts as well as their credit report to guard against potential identity fraud. Also, be wary of emails regarding the breach, as scammers may try and take advantage of it.”
Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, suggested that the data breach was related to insecure web applications.
“Many large companies still do not even have an up to date inventory of their external applications, let alone conducting continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. Obviously, one day such an approach will fail,” Kolochenko said.
“Regulations, such as GDPR, do not necessary help. In the past two years many companies were over-concerned to comply with GDPR on paper, ignoring practical security requirements due to limited budget and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cyber-security and privacy.
“Legal ramifications for Marriott and its subsidiaries can be tremendous, from harsh financial penalties from authorities in many countries to individual and class-action lawsuits from the victims.”