Another massive hotel data breach has surfaced online that affected millions of customers. This time, the victim is a renowned chain of hotels having a worldwide presence – that is – Marriott Hotels. Allegedly, the chain of hotels exposed 500 million records of guest customers as a result of Marriott data breach. The incident exposed the details of customers who made a reservation at any Starwood property since 2014.
500 Million Records Exposed In Marriott Data Breach
As disclosed recently, a Marriott data breach has exposed around 500 million customers’ records to unknown hackers. The hotel chain has mentioned all the details in a dedicated website release that it set up to inform the public.
Marriott explained in its official statement that the incident in early September. The firm came to know of the breach on September 8, 2018, from an internal security tool that notified of an attempt to access the Starwood database. It then began investigating the matter only to discover a breach for the past four years – that is – since 2014.
Things became worst when Marriott found some data accessed and encrypted by an unauthorized entity. In November, they succeeded in decrypting the data to know it belonged to its Starwood guest reservation database.
The exposed database allegedly contains about 500 million records of guests who made a reservation at a Starwood property from 2014 until September 10, 2018. Out of these, details of 327 million customers include explicit personal details. Explaining in detail about the breached data, Marriot stated,
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).”
The combination of personal information leaked here varies with the customers. Nonetheless, regarding the payment card data encryption, it said,
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”
Security Measures Taken
Marriott has clearly stated that the security breach affected the Starwood network only. It means that the customers interacting with Marriott hotels remained safe during the incident. The affectees include all those interacting with Starwood properties. Marriott acquired Starwood Hotels & Resorts Worldwide, Inc. in 2016. As listed by the parent, Starwood chain includes,
“Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.”
The hotel has begun informing the affected customers about the incident since November 30, 2018. These emails will reach customers from the email address [email protected].
Besides, Marriott confirmed that they have duly involved the law enforcement authorities to investigate the matter. Moreover, the Attorney General of New York and Maryland have also announced separate investigations via their official Twitter accounts.
The Marriott data breach is one of the largest and most alarming we’ve seen. My office is launching an investigation to find out the circumstances that led to the breach and its impact on consumers. https://t.co/r3qUPBg3N8
— Brian Frosh (@BrianFrosh) November 30, 2018
Moreover, Marriott also offered free enrollment to WebWatcher to the affected customers for one year. The customers from the US will also receive free fraud consultation services.