Arne Sorenson, the chief executive of Marriott International Inc, appeared before the U.S. Senate Permanent Subcommittee on Investigations on Thursday to apologize for the massive data breach of the Starwood guest reservation system that compromised approximately 383 million data records, including 8.6 million unique payment card numbers, 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers.
On 30th November, Marriott International announced, to the horror of millions of its customers, that personal and financial information of up to 500 million people who made bookings at the chain's Starwood hotels were compromised after hackers gained unauthorised access to the Starwood guest reservation database on or before September 10, copied information stored in the database, and attempted to remove it.
The data breach impacted personal and financial information of millions of people who made bookings at Marriott International's Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.
In January, Marriott revised the number of customers affected by the breach, announcing that the breach had, in fact, compromised no more than 383 million data records as against the 500 million that it had initially predicted. While the hotel chain refused to quantify the lower number of records compromised by the incident, it said that there were multiple records for the same guest.
Compromised data records also included 8.6 million unique payment card numbers (encrypted), 5.25 million unique unencrypted passport numbers and approximately 20.3 million encrypted passport numbers. Earlier this month, Marriott revised the number of encrypted payment card numbers compromised during the incident to 9.1 million from 8.6 million, adding that approximately 385,000 of such cards were unexpired as of September 2018.
Marriott chief promises new measures to improve cyber security
On Thursday, Marriott International's chief executive Arne Sorenson appeared before the U.S. Senate Permanent Subcommittee on Investigations to apologize for the massive data breach, stating that the Starwood guest reservation system had been retired within a month after the breach was first announced and that the hotel chain would do everything requuired to ensure the protection of customers from cyber attacks in future.
"As of December 18, 2018, we are no longer using the Starwood Guest Reservation Database for business operations. In the time between the discovery of this incident and the retirement of the Starwood database, we took additional steps to secure the Starwood network, including malware removal, deployment of endpoint protection tools to approximately 70,000 devices that were originally on the Starwood network, rebuilding impacted hosts, and IP whitelisting to control access to the Starwood database.
"Beyond the steps taken to secure the Starwood network and the retirement of the Starwood Guest Reservation Database, we have accelerated our roll-out of endpoint protection tools to over 200,000 devices. Those tools allow real-time discovery of suspicious behavior on both the Starwood and Marriott networks and have next-generation anti-virus features.
"We are focused on identity access management, which means a broader deployment of two-factor authentication across our systems, as well as network segmentation, which means isolating the most valuable data so that it becomes more difficult for attackers to access the systems and for malware to spread through the environment," Sorenson said.