Marriott has revealed that the data of up to 500 million Starwood guests may have had their data accessed in a breach of the Starwood guest reservation database that spanned four years.
The world's largest hotel company was alerted to an attempt to access the system on 8 September and says it immediately “engaged leading security experts to help determine what occurred”. On 19 November, the investigation concluded that there had been unauthorised access to the system.
During the course of the investigation, Marriott learned there had been unauthorised access to the Starwood network since 2014.
The “unauthorised party” had copied and encrypted information and took steps toward removing it, according to the hotel company.
Marriott says it believes the database contains the details of up to 500 million guests who made a reservation at a Starwood property on or before 10 September.
Starwood’s brands include W Hotels, St Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, the Luxury Collection, Tribute Portfolio, Le Meridien Hotel & Resorts, Four Points by Sheraton and Design Hotels, as well as Starwood-branded timeshare properties.
For up to 327 million of those on the database, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some, this also includes payment card numbers and expiration dates, but Marriott claims the card numbers were encrypted using an Advanced Encryption Standard.
The hackers would need two components to decrypt these card numbers, however Marriott cannot guarantee at this point whether these components were taken in the breach.
Marriott says it has already started notifying regulatory authorities about the incident.
The breach would have begun before Marriott acquired Starwood in 2016, bringing into question how it was not discovered by either party throughout the course of the merger process.
CEO Arne Sorenson commented: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Marriott has created a dedicated website (info.starwoodhotels.com) and call centre to answer guests’ questions regarding the breach. The website also features a Frequently Asked Questions section with advice for those affected.
The company will begin emailing guests included in the database from today and is also offering free enrolment in Webwatcher, which monitors sites where personal information is shared and generates an alert if evidence of the customer’s data is found, however this service is not available in all countries.
This is the largest of a number of high-profile data breaches in the travel industry, equalling about one in every 14 people around the world.
Similar incidents have been reported at Uber, British Airways, Eurostar, Air Canada and Cathay Pacific, while Heathrow airport was fined after a staff member lost a USB stick containing sensitive information that was found and easily accessed by a member of the public.
In September, Ali Hussain, chief innovation and technology officer at ATPI Group, wrote a guest piece for BBT with tips for travel managers to ensure their travellers’ data is secure.