Marriott reports massive data breach of 500 million of its Starwood guest records

The data breach impacted Starwood hotels, a global chain that Marriott acquired in 2016. One of the largest global hotel chains with 1,200 properties, it includes Starwood timeshares and brands such as W Hotels, St. Regis, Sheraton, Westin and more. Marriott hotel’s reservation system is separate and not believed to be impacted by the breach.

The investigation is ongoing but it’s known at this time that a breach of the guest database was discovered on or before September 10. The breach may have been going on as far back as 2014, before Marriott’s acquisition of the chain. Even though the company has known for many weeks, it’s just now notifying the public and its guests of the breach.

The unauthorized party copied and encrypted information and “took steps towards removing it.” On November 19, Starwood obtained the database and decrypted the content, revealing that the contents were from the Starwood guest reservation database. The hotel has warned that they cannot guarantee that the thieves were not able to decrypt the database information.

Stolen content of 327 million records included guest’s name, postal address, phone number, date of birth, gender, email address, passport number, Starwood’s rewards information (points, balances), arrival and departure information, reservation data, and guest communication preferences. Not all records included passport information. An unknown number of records included encrypted credit card information, though it’s not certain if the information could have been decrypted by the hackers.

Marriott has started to notify affected guests. The company is giving those guests free WebWatcher memberships to monitor their information and is advising them to watch for suspicious activity in their loyalty accounts and on their credit cards.

"We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward," said CEO Arne Sorenson.

The breach likely falls under the EU’s GDPR-General Data Protection Regulation, meaning Starwood could face steep penalties if they breached those regulations (up to 4% global annual revenue). Additionally, class action lawsuits are expected to ensue.

Viewed as one of the largest corporate breaches of consumer information on record, it’s on par with Yahoo and Equifax.

Download Virsec’s free Self Protection Guide to protect your information and business.