A breach of the Marriott hotel chain’s guest reservation database may have compromised the personal information of upwards of 500,000 customers.
In a Nov. 30 announcement, Marriott officials said that on Sept. 8 it received an alert from an internal security tool regarding an attempt to access the U.S. guest reservation database. “Marriott quickly engaged leading security experts to help determine what occurred,” the company said in a statement.
During the investigation, it was learned that there was unauthorized access to the Starwood network since 2014. The company then discovered that an unauthorized party had copied and encrypted information.
As of Nov. 19, Marriott determined that the pilfered data was from the Starwood guest reservation database.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” the statement says. For approximately 327 million of those guests, the information includes some combination of name, mailing address, phone number, e-mail address, passport number, Starwood Preferred Guest (SPG) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, however—and, at this point, Marriott has not been able to rule out the possibility that both were taken.
For the remaining guests, the information was limited to name and sometimes other data such as mailing address, e-mail address, or other information.
“Marriott reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities,” the statement adds. The company says it will furnish a Form 8-K with the Securities and Exchange Commission to disclose the breach and subsequent investigation.
“We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated Website and call center,” Arne Sorenson, Marriott’s president and CEO, said in a statement. “We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.”
Sorenson added that Marriott is “devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to [its] network.”
Marriott listed actions it has initiated to help guests monitor and protect their information. They include a dedicated Website (info.starwoodhotels.com) and call center to answer questions about the incident. The frequently asked questions on the above Website may also be supplemented as new information becomes available. The hotel chain began sending e-mails on a rolling basis on Nov. 30, 2018, to affected guests whose e-mail addresses are in the Starwood guest reservation database.
Marriott is also providing guests the opportunity to enroll in WebWatcher free of charge for one year. The service monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s data is found.
Marriott International is based in Maryland and encompasses a portfolio of more than 6,700 properties spanning 129 countries and territories.
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels. It remains to be seen whether the international scale of the hotel holdings will trigger penalties under the European Union’s General Data Protection Regulations.
The hotel chain did not say precisely when in 2014 the breach was thought to have begun, “but it’s worth noting that Starwood disclosed its own breach involving more than 50 properties in November 2015, just days after being acquired by Marriott,” noted data security expert Brian Krebs in a blog post on his “Security” Website. “According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year—to November 2014.”
In 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops, and other payment systems that were not part of its guest reservations or membership systems, Krebs wrote, observing that “this would hardly be the first time a breach at a major hotel chain ballooned from one limited to restaurants and gift shops into a full-blown intrusion involving guest reservation data.”
“This major breach follows a number of critical incidents in the hospitality industry and is certainly an additional wake-up call for highlighting the importance of cyber-security and personal data protection, and their close coupling with the brand name of each firm, especially with GDPR and similar personal data-related regulations into force,” says Chris Dimitriadis, past board chair of ISACA, a global association of more than 450,000 professionals focused on cyber-security, governance, and risk. “Encryption, although not a silver bullet, proves to be an effective risk mitigation control both from a practical and communications point of view.”
“The incident is not a surprise, taking into account the sophistication of the attackers that prefer to target systems in the service provision chain in which security attention may be lower, such as cash registers and point-of-sale systems rather than central systems directly,” he added. “As a result, what is crucial in such cases is detection and response.”
The Marriott breach follows another high-profile intrusion of a customer rewards program.
Earlier this month, Dunkin Donuts announced a warning to its customers that DD Perks reward account holders may have been hacked by a third party accessing customer profiles and personal data in October.
In a statement, the company said it wasn't an actual breach of its back-end systems; instead, it was “a credential stuffing attack.”
“Although Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts,” a statement by the company says.
On Oct. 31, the company first learned of the compromise. “Our security vendor was successful in stopping most of these attempts, but it is possible that these third parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin’,” it said.
In response, the company mandated a password reset for potentially affected customers.
“We also reported the incident to law enforcement and are cooperating with law enforcement to help identify and apprehend those third parties responsible for this incident,” the company said. “As always, we strongly recommend that our guests create unique passwords for their DD Perks accounts, and do not reuse passwords used for their other unrelated online accounts.”