Northwest Arkansas Democrat-Gazette
Data of 500 million hotel guests at risk
Array of personal details taken in four-year hack of Marriott reservation system
The Marriott International hotel chain said Friday that the database of its Starwood reservation system had been hacked and that the personal details of up to 500 million guests going as far back as 2014 had been compromised.
The hotel group, which runs more than 6,700 properties around the world, was informed in September about an attempt to access the database, and an investigation last month revealed that unauthorized access had been made on or before Sept. 10, Marriott said in a statement.
The hotel chain said personal details including names, addresses, dates of birth, passport numbers, email addresses and phone numbers for hundreds of millions of guests may have been compromised.
The investigation found that “there had been unauthorized access to the Starwood network since 2014,” and an “unauthorized party had copied and encrypted information, and took steps toward removing it,” the statement said.
Hackers also obtained encrypted credit-card information for some customers, but it was unclear if the hackers would be able to use those payment details.
Marriott said it wasn’t sure how many passport numbers and dates of birth were stolen but that it was a “subset” of the larger number of affected consumers, since this information is not a part of every reservation.
The hack affects customers who made reservations for Starwood hotel brands from 2014 to September of
this year. The properties include Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Meridien, Tribute, Design Hotels, Elements and the Luxury Collection.
When the Marriott-Starwood merger was first announced in 2015, Starwood had 21 million people in its loyalty program.
Marriott hotels, including Residence Inn and the Ritz Carlton, operate on a separate reservation system. The company has plans to merge that system with Starwood’s.
Richard Gold, head of security engineering at the cybersecurity firm Digital Shadows, said the breach ranks among the largest of consumer data, on par with breaches at Yahoo and the credit-scoring giant Equifax.
“This is an incredibly big number,” Gold said.
He said hotels are an attractive
target for hackers because they hold a lot of sensitive information, including credit card and passport details, but often don’t have security standards as tough as those of more regulated industries, like banking.
“On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade,” said Chris Wysopal, chief technology officer of Veracode, a security company.
“We deeply regret this incident,” Arne Sorenson, Marriott’s president and chief executive officer, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Investigations into the Marriott leak were announced by European regulators and the New York state attorney general, Barbara Underwood.
“It’s astonishing how long it took them to discover they were breached,” said Gus Hosein, executive director of Privacy International, a group that supports strong data protection laws. “For four years, data was being pilfered out of the company, and they didn’t notice. They can say all they want that they take security seriously, but they don’t if you can be hacked over a fouryear period without noticing.”
The hackers’ access to the reservation system could be troubling if they turn out to be nation-state spies rather than con artists simply seeking financial gain, said Jesse Varsalone, associate professor of cybersecurity at the University of Maryland University College.
Reservation information
could mean knowing when and where government officials are traveling, to military bases, conferences or other destinations abroad, he said.
“There are just so many things you can extrapolate from people staying at hotels,” Varsalone said.
The richness of the data makes the hack unique, Wysopal said.
“Once you know someone’s arrival, departure, room preferences,” that could be used to incriminate a person or for a reputation attack that “goes beyond your traditional identity theft or credit-card theft,” he said.
The breach is far larger than the one last year at Equifax, a credit bureau, from which attackers stole information on 148 million people, including names, Social Security numbers, birth dates and addresses. In that case, the thieves also grabbed scans of around 3,200 passports from people who had uploaded them to an Equifax customer service website.
Equifax has spent more than $400 million on recovery from its breach, according to the company’s regulatory filings.
Marriott said it had set up a dedicated website and call center to deal with questions guests might have about their personal information and had notified regulatory and legal authorities. Marriott also said it would try to reach affected customers Friday to inform them of the security breach.
The company is offering one year of free enrollment in Web Watcher to people who live in the United States, Canada and Britain. Marriott described it as a service that keeps an on eye on Internet sites where thieves swap and sell personal information and then alerts people if anyone is selling their information.
Customers who wanted to enroll were already confused Friday because the user interface was unclear.
Marriott, based in Bethesda, Md., is the world’s largest hotel chain, having bought Starwood Hotels and Resorts Worldwide two years ago for $13.6 billion. The merger brought brands like Westin, W and Sheraton under the same roof and prompted questions about whether the brands being acquired would lose some of their cool factor.
Customers also complained about problems with rewards programs after efforts to merge data from Starwood’s rewards program into Marriott’s left the records of millions of customers in limbo for weeks.
The company also has been grappling in recent weeks with strikes by thousands of workers, who walked out of 49 hotels in nine cities to call for better health care, wages and protection from sexual harassment.
In August, the Justice Department indicted members of an eastern European cybercrime ring called Fin7. Hotel chains were among its targets.
In 2015, Starwood disclosed that the point-of-sale systems at some of its hotels had been hacked, resulting in the loss of payment card details.
Knowing the culprits behind the latest breach would help investigators know what the information will be used for, Gold said. Passport information is particularly useful to criminals for identity theft, he said. A nation-state is more likely to use the information for intelligence purposes, such as learning about the whereabouts of important people.
In Europe, where companies can be fined up to 4 percent of global revenue under data-protection laws, companies are required to alert government authorities within 72 hours of a known hack. Given the volume and sensitivity of personal data taken, and the length of the breach, Marriott “has the potential to trigger the first hefty GDPR fine,” said Enza Iannopollo, a security analyst with Forrester Research, referring to the European data-protection law enacted this year.