Personal and financial information of up to 500 million people who made bookings at Marriott International's Starwood hotels were compromised after hackers gained unauthorised access to the Starwood guest reservation database on or before September 10, copied information stored in the database, and attempted to remove it.
The massive data breach, which could become one of the largest data security incidents in history, affected hundreds of millions of people who made reservations at Marriott International's Starwood properties such as Sheraton Hotels & Resorts, Westin Hotels & Resorts, Le Méridien Hotels & Resorts, Four Points by Sheraton, St Regis, W Hotels, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, and Design Hotels.
Starwood database breach impacted up to 500 million guests
In a press release, Marriott International said that it was alerted about an unauthorised breach of the Starwood guest reservation database by an internal security tool on 8th September. Following further investigation, the luxury hotel chain determined that there had been unauthorised access to the Starwood network since 2014 and that an unauthorised party had copied and encrypted information, and took steps towards removing it.
It took Marriott International over two months to decrypt information accessed by the hacker, following which it could confirm that the information was taken from the Starwood guest reservation database.
"The information copied from the Starwood guest reservation database over time includes information about guests who made a reservation at a Starwood property, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences.
"The combination of information varies by guest. For some individuals, the information copied also included payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point Marriott has not been able to rule out the possibility that both were taken," it said.
Marriott International added that the Starwood guest reservation database contained information of up to 500 million guests. While it stored combinations of names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account numbers, date of birth and gender of 327 million guests, it also stored payment card numbers and payment card expiration dates belonging to a number of other guests.
"Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call centre. We are supporting the efforts of law enforcement and working with leading security experts to improve. Marriott is also devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network," it added.
Since Marriott International uses a separate reservation system for its own guests, those who made reservations at Marriott hotels prior to September 10 were not affected by the incident. If you made booking at any Starwood property prior to September 10 this year, you may contact Marriott International at 0-808-189-1065 or email them at firstname.lastname@example.org for additional information.
Why did it take Marriott four years to detect the breach?
Tom van de Wiele, a security consultant at F-Secure, told TEISS News that the most disappointing part of the incident is the fact that the amount of data stolen is one of the bigger ones of the last few years and further made worse by the fact that the compromise had been going on for at least four years. This indicates that as far as security monitoring and being able to respond in a timely and adequate fashion, Marriott had severe challenges being able to live up to its mission statement of keeping customer data safe.
"The reason for this long detection and response time is usually a general lack of maturity in the detection strategy of the company when trying to find relevant information to track potential incidents. Being able to prioritise what is important for the business i.e. customer data, and placing detection points at the right choke points while being able to respond to, is absolutely crucial for any company trying to guard and protect customer data of any kind," he added.
Ilia Kolochenko, CEO and founder of web security company High-Tech Bridge, said that the data security incident involving Marriott's Starwood properties looks like one more tremendous data breach related to insecure web applications.
"Many large companies still do not even have an up-to-date inventory of their external applications, let alone conducting continuous security monitoring and incremental testing. They try different security solutions without a consistent and coherent application security strategy. Obviously, one day such an approach will fail.
"Regulations, such as GDPR, do not necessary help. In the past two years many companies were over-concerned to comply with GDPR on paper, ignoring practical security requirements due to limited budget and resources. Management is often satisfied with a formalistic approach to compliance, ignoring the practical side of cybersecurity and privacy. Legal ramifications for Marriott and its subsidiaries can be tremendous, from harsh financial penalties from authorities in many countries to individual and class-action lawsuits from the victims," he added.