[Updated] Marriott Data Breach Exposes Personal Information of 500 Million Guests – Sheraton, St. Regis, Westin, Element Hotels, & Others Included
Marriott says its guest reservation system has potentially exposed the personal information of up to 500 million of its guests. The international hotel chain reported the breach today, confirming that its Starwood reservation system had been hacked. The data at risk goes back to at least 2014.
"The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it," the Marriott International said in its statement. "We deeply regret this incident happened."
Highlights: Marriott breach was discovered on November 19; hackers had access to the system since 2014; payment data could also be at risk
The hotel chain's internal investigation found that an attacker had managed to access its Starwood network since 2014. In September, the company discovered that an unauthorized party had recently copied and encrypted information, and then tried to remove the data. It was on November 19 when Marriott finally decrypted the data to discover that the contents were from the Starwood guest reservation database.
Marriott said the guest reservation database contained guest information relating to reservations at Starwood properties on or before September 10, 2018. [Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.]
For around 327 million guests, the exposed data includes at least some of the following records:
- mailing address
- phone number
- email address
- Starwood Preferred Guest (“SPG”) account information
- passport number
- date of birth
- reservation date
- arrival and departure information
For some, the exposed data also includes payment data, however, the company is yet to confirm that. The company said that "there are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken."
Marriott, the world’s largest hotel chain, bought Starwood Hotels and Resorts Worldwide two years back for $12.2 billion. The merger brought major names Sheraton under Marriott's umbrella.
"We fell short of what our guests deserve and what we expect of ourselves," Marriott's CEO Arne Sorenson said in a statement. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward." The hotel chain's stock has appeared to take a hit, falling nearly 6% in premarket trading.
Marriott has established a dedicated website (external link) to answer questions about this incident. The company added that it will start notifying customers whose records were in the database "on a rolling basis" starting today.
[Update]: Breach doesn't affect Marriott-branded hotels
Responding to our query, Tracey Schroeder, VP, Global Consumer Public Relations at Marriott, clarified that the breach does not affect Marriott-branded hotels.
"The guest reservation database that is involved [in the incident] was only used for Starwood reservations," Schroeder confirmed in an emailed statement to Wccftech. "Marriott uses a separate reservation system that is on a different network."