As many as 500 million people who made reservations at Starwood properties may have had their personal information accessed in a breach that lasted as long as four years.
The hotelier said it determined Nov. 19 that a breach had occurred involving the Starwood guest reservation database, which has information on reservations at Starwood properties made on or before Sept. 10, 2018.
Marriott said it got an alert Sept. 8 about an attempt to access the Starwood database in the U.S., and enlisted security experts to assess the situation. During the investigation, Marriott learned there had been unauthorized access to the Starwood network since 2014, the company says.
An unauthorized party had copied and encrypted information from the database and had taken steps towards removing it, Marriott says. The company was able to decrypt the information on Nov. 19 and found that the contents were from the Starwood guest reservation database.
For some Starwood guests, the data may also include payment card numbers and payment card expiration dates, but the payment card numbers were encrypted, Marriott says. Still, Marriott has not been able to rule out the possibility that the breach led to that data being access. For the remaining guests, the information was limited to name and possibly other data such as mailing address, email address, or other information.
Marriott has notified regulators about the breach and continues to work with law enforcement on the investigation, the company says.
“We deeply regret this incident happened,” said Marriott President and CEO Arne Sorenson said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott completed its $13 billion acquisition of Starwood Hotels and Resorts in September 2016.
Source: Mike Snider, USA TODAY
Photo Credit: ShredQuick
Photo Credit: Houston Chronicle