Today, hotel chain Marriott International disclosed a data breach affecting 500 million of its guests. Marriott discovered that the guest reservation database of its subsidiary Starwood Hotels had been accessed by unauthorised individuals and believes that the database has been accessible since 2014. Hence, leaving the entire database of 500 million guest bookings exposed to the attackers for four years.
The personal information accessed and copied by the attackers include a combination of name, address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences for about 327 million guests.
Additionally, some encrypted card numbers and expiration dates were stolen and there’s a possibility that the encryption keys have been taken too.
Marriott International acquired Starwood in 2016, forming the world’s largest hotel chain with over 5,800 properties. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.
The incident is believed to be one of the most significant data breaches so far except for the Yahoo hack that affected 3 billion user accounts.
Marriott learnt of the breach last month on September 8 after receiving an alert from an internal security tool regarding an access attempt of its separate Starwood guest reservation database in the United States. Marriott believes that the Marriott network has not been affected.
On the 19 November investigators located an encrypted database online and discovered that it comprised the entire Starwood guest reservation database.
Marriott has begun notifying regulatory authorities and has informed law enforcement of the incident.
The UK’s data regulator has confirmed it is investigating the incident. Although Marriott’s headquarters are in the United States, it has to comply with the EU’s General Data Protection Regulation when handling data of EU customers.
The UK’s Information Commissioner’s Office said:
“We have received a data breach report from Marriott Hotels involving its Starwood Hotels and are making enquiries.
“We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online.”
The hotel chain is informing those affected.