Hotel giant Marriott has confirmed that its Starwood Hotels & Resorts guest reservation database has been hacked by an unauthorized party.
Affecting up to 500 million people, the vast hack has exposed a considerable amount of data including:
- Phone numbers
- Passport numbers
- Encrypted payment card numbers
- Payment card expiration dates
While the payment card data was encrypted using Advanced Encryption Standard encryption (AES-128), Marriott has not yet been able to rule out the possibility that both components needed to decrypt the payment card numbers could have been taken.
In its statement, Marriott President and CEO Arne Sorenson said:
We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned to be better moving forward.
Marriott reported that it became aware of the breach in September this year when it was alerted by an internal security tool regarding an attempt to access the Starwood database in the US. However, during the course of an internal investigation, the chain learned “that there had been unauthorized access to the Starwood network since 2014.”
Marriott acquired the Starwood chain in 2016 for $13.6 billion and the chain’s hotel brands include W Hotels, Sheraton, Le Meridien and Four Points by Sheraton.
This breach could be one of the largest in history.
Marriott has begun notifying customers and regulatory authorities and has set up a dedicated website and call center to answer questions about the incident.
You can discover how to prepare for a data breach by visiting our #BreachReady page. We break the process down into six simple steps and recommend tools and services you can use to complete each task.