Marriott International disclosed a massive security breach of the reservations system for its Starwood Hotels and Resorts brand, a hack it said Friday may have compromised private info on up to 500 million guests.
According to Marriott, for around 327 million Starwood guests, the database included such personal information as name, mailing address, phone number, email address, passport number, date of birth, and gender. For some Starwood customers, the hacked database also stored payment card numbers and expiration dates, although Marriott said that information was encrypted.
Hackers had accessed the Starwood network since 2014, Marriott said. The incident is one of the biggest single breaches of personal consumer data to date.
In an 8-K filing Friday, Marriott said it doesn’t know what the financial cost of the hack will be, but the company said it does not believe it will “impact its long-term financial health.”
“The company carries insurance, including cyber insurance, commensurate with its size and the nature of its operations,” it said. “The company is working with its insurance carriers to assess coverage.”
Marriott said it has taken measures to investigate and address the data-security incident involving the Starwood guest reservation database. It said it discovered the hack on Nov. 19, 2018.
“We deeply regret this incident happened,” Arne Sorenson, Marriott’s president and CEO, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott has set up a dedicated website at answers.kroll.com operated by risk-consulting firm Kroll to provide information and services to customers related to the hack. It also has opened a 24-hour dedicated call center for customers to inquire about their accounts. Marriott said it will begin sending emails to affected Starwood guests about the hack “on a rolling basis” starting Nov. 30. In addition, Marriott also is offering guests in the U.S., Canada and the U.K. a free one-year enrollment in privacy-monitoring service WebWatcher.
Marriott said that on Sept. 8, 2018, its IT team received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the U.S. After investigating, the hotel chain said, it then discovered “an unauthorized party had copied and encrypted information” from the database.
The credit-card data hackers were able to steal from the Starwood system was encrypted using Advanced Encryption Standard encryption (AES-128). Marriott said it has “not been able to rule out the possibility” that hackers were able to access the keys necessary to decrypt that data.
Marriott said it reported the incident to law enforcement and has already begun notifying regulatory authorities.
Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels. Starwood-branded timeshare properties are also included.