Marriott announced today that malicious actors have stolen the records of as many as 500 million guests from the Starwood Hotels’ reservation system, including some credit card information. Marriott acquired the Starwood Hotels (opens in new tab) chain in 2016.
On November 19, 2018, Marriott’s investigation determined that malicious parties have had unauthorized access to Starwood’s internal network since 2014. The attackers have been able to collect private data on up to 500 million guests from all of Starwood’s hotel brands, including W Hotels, Sheraton, Le Méridien and Four Points by Sheraton.
Marriott said that for about 327 million of these guests, the exposed information includes the mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
Payment Information Also Stolen
Some guests also had their payment card numbers and payment card expiration dates stolen. Marriott claimed that this information was encrypted using the symmetric encryption algorithm AES. However, the company noted it doesn’t know whether or not the attackers also gained access to the components required to decrypt that information.
Arne Sorenson, Marriott’s President and CEO, said the company has set up a call center and a dedicated website to address any questions the victims of the data breach may have.
She added that Starwood’s systems will be phased out and replaced by a new system with enhanced security that will presumably fare better against this kind of unauthorized access in the future.