Marriott, one of the world’s largest hotel chains, announced on Friday that it has experienced a jaw-dropping data breach that may have exposed the personal data of up to 500 million guests going all the way back to 2014.
In a filing with the SEC, Marriott explained that it first learned about the breach on September 8 when a security tool alerted administrators that someone was attempting to gain unauthorized access to its Starwood reservation system in the United States. Here’s Marriott’s explanation of what happened next:
Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
The way the statement is worded is a bit confusing, but it appears to be saying the intruders did manage to obtain an encrypted copy of the database before trying to remove evidence of their activities. We’ve reached out to Marriott to clarify exactly what the company means and we’ll update this post when we receive a reply. Update: In response to our request for clarification, a Marriott spokesperson told us they “don’t have any more information on the specifics of the incident.”
Marriott said its team is still “identifying duplicate information” on its database but it believes the hackers were able to access the data of around 500 million guests. And we’re talking about a lot of data points. The list includes: “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.” It said that credit card numbers were included for some guests but they were obscured with standard AES-128 encryption. It’s still unclear if the attackers also obtained the necessary keys to decrypt the credit card info.
Marriott obtained the Starwood hotels brand in 2016, so it appears the company may have inherited this problem since its researchers believe the intruders have had access since 2014. In its filing with the SEC, it said it will work to phase out Starwood systems.
Since Marriott has hotels in Europe, it will likely come under scrutiny by authorities from the EU and could face financial penalties under GDPR regulations. It has set up a dedicated website to answer customer questions and said it will begin notifying customers individually via email.