According to the Marriott hotel group, the guest reservation database used for Starwood reservations has been accessed by hackers, exposing the private details of up to 500 million guests.
This includes those who have stayed at the following hotel chains: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels that participate in the Starwood Preferred Guest (SPG) program. Starwood branded timeshare properties are also included.
Note that it doesn’t matter if you are a Starwood Preferred Guest (SPG) member or not, if you made a reservation on or before September 10, 2018 for a Starwood property Marriott believes the details you provided may have been compromised.
Marriott’s own-branded hotels use a separate reservation system that the company says is on a different network, and not affected.
In an advisory published today (isn’t it funny how so many breaches are announced just before a weekend?), Marriott says it first received a security alert about an attempt to access the Starwood database on September 8 2018.
During its subsequent investigation Marriott discovered that there had been unauthorised access to the Starwood network since 2014 (Marriott acquired the Starwood Hotels group in 2016 for US $12.2 billion.)
At the start of last week – on November 19 2018 – Marriott was able to confirm that data had indeed been stolen from Starwood’s network, and issued its warning today.
Marriott says that it believes the stolen data contains information on “up to approximately 500 million guests who made a reservation at a Starwood property”.
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
Even if the payment card information is not capable of being decrypted by the hackers, there is plenty of information there which scammers and fraudsters could exploit to their criminal advantage.
Marriott says it has informed law enforcement authorities about the incident, and will assist them in their investigations.
But many will also be wondering what this might mean in terms of GDPR, as there will be many people included in that database who were resident in the European Union.
GDPR, which came into force earlier this year, allows for fines of up to 20 million Euros or 4% of a company’s global annual turnover – whichever is higher.
Ouch. I wonder how Marriott’s share price is going to perform today?
If you’ve stayed at one of the hotel chains affected by this data breach, check out the FAQ from Marriott.
Readers with long memories may recall that Starwood and Marriott hotels have had their fair share of run-ins with cybercriminals in the past, but from the sound of things this data breach is on a much larger scale.