facebook-pixel

Marriott discloses a massive data breach impacting 500 million guests

(Danny Johnston | The Associated Press) In this Tuesday, April 30, 2013, file photo, a man works on a new Marriott sign in front of the former Peabody Hotel in Little Rock, Ark. Marriott says the information of up to 500 million guests at its Starwood hotels has been compromised. It said Friday, Nov. 30, 2018, that there was a breach of its database in September, but also found out through an investigation that there has been unauthorized access to the Starwood network since 2014.

By Taylor Telford | The Washington Post
  | Nov. 30, 2018, 4:39 p.m.

Washington • Marriott International revealed Friday that its Starwood reservations database had been hacked and that up to 500 million guests could be affected.

The data breach involved information mined from the reservations database for Starwood properties, which include Sheraton, Westin and St. Regis hotels, among others. An unauthorized party had accessed the database since 2014, company officials said. The breach included names, email addresses, passport numbers and payment information, according to the hotel giant.

"We deeply regret this incident happened," Arne Sorenson, Marriott's chief executive, said in a news release. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

Marriott said that it reported the breach to law enforcement and is also notifying regulatory authorities.

The hotel chain has set up a website and call center to answer questions at info.starwood.com, and it is emailing affected guests beginning Friday.

The company said Friday that it had learned on Sept. 8 that an unauthorized party had access to its systems but was unable to decrypt what was stolen until Nov. 19.

Investigators discovered that the hackers had had access to Marriott's system since 2014. Marriott bought Starwood properties in 2016.

For 327 million guests, the information exposed was strictly personal: birthdays, passport numbers, email and mailing addresses, and phone numbers.

While some credit card information, card numbers and expiration dates may also have been compromised, it was stored using a more advanced encryption method. Still, Marriott said it had "not been able to rule out" the possibility that card information had also been stolen.

"We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve," Sorenson said. "We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network."

Based in suburban Bethesda, Maryland, Marriott is one of the world's largest hotel chains with more than 6,700 properties.

Its shares were down 4 percent during premarket trading.

By Taylor Telford | The Washington Post