The world’s largest hotel group Marriott declined to comment this week on reports that China may have been behind the massive data breach of its Starwood Hotels’ brands.
Marriott announced the breach on November 30 revealing the personal data of up to 500 million Starwood guests had been compromised by a breach going back to 2014.
The compromised data includes that of an unknown number of customers from Europe.
Marriott has offered a year’s free subscription to a cybersecurity monitoring service to those affected in markets including the UK, US and Canada.
The company began contacting customers by email on the day it announced the breach.
Marriott said it received a security alert on September 8 and determined on November 19 that hackers had acquired data from the Starwood database, at which time it notified regulators.
It revealed the hackers breached Starwood’s system four years ago, accessing the data of 327 million guests – including encrypted payment-card numbers and dates of expiry – and creating a file with the additional data of 170 million customers.
Marriott said it could not rule out the possibility that encryption keys had also been stolen, meaning payment cards could be compromised.
The group completed the $13.6-billion acquisition of Starwood in September 2016, having announced the deal in November 2015.
Starwood reported a breach of point-of-sale systems in some of its hotels just four days after the deal was announced, leading security analysts to suggest the hotel operator could have detected the hackers three years ago.
A Marriott spokesperson said: “All involved would have preferred this incident had been detected earlier.”
The Starwood brands include W Hotels, St. Regis, Sheraton, Westin, Le Méridien, Element, Aloft, The Luxury Collection, Tribute Portfolio, Four Points by Sheraton and Design Hotels.
News agency Reuters reported this week that investigators looking into the breach have identified hacking tools and techniques used in previous attacks attributed to Chinese hackers.
However, investigators also suspect “multiple hacking groups” may have been inside Starwood’s computer networks simultaneously since 2014.
Asked to comment on the story, a Marriott spokesperson said: “We have nothing to share.”
The compromised data appears not to have been offered for sale. However, analysts said that could merely indicate the attackers did not wish to reveal the systems had been breached.
In a statement, Marriott said: “The company has not finished identifying duplicate information in the database, but believes it contains information on up to 500 million guests who made a reservation at a Starwood property.”
Marriott president and chief executive Arne Sorenson expressed “deep regret”, saying: “We’re working hard to ensure our guests have answers to questions about their personal information.
“We are devoting the resources necessary to phase out Starwood systems and accelerate security enhancements.”
The company has established a dedicated website (info.starwoodhotels.com) and call centre to answer questions.
The theft of data is one of the biggest to date and the largest to hit the travel and hospitality sector.
British Airways suffered the theft of card details, including security-code numbers, of 244,000 customers in September and had to report a second breach in October involving another 185,000.
The hospitality sector appears particularly vulnerable to cyberattacks.
Hilton was fined $700,000 last year following data breaches in 2014 and 2015. Sabre Hospitality Solutions confirmed a breach of its reservations system affecting multiple hotel companies between August 2016 and March 2017, and InterContinental Hotels Group confirmed a breach of payment-card processors at its hotels which subsequently affected more than 1,000 properties.
A 2018 Data Breach Report by Verizon suggested 92% of attacks on the accommodation sector result in breaches compared with just 1% of attacks on public services.
The EU General Data Protection Regulation empowers regulators to impose fines of up to 4% of a company’s global turnover for a serious breach depending on “the nature, gravity and duration” of an infringement, “the number of data subjects affected and the level of damage”.