Marriott has revealed that its Starwood guest reservation database was recently impacted by a security breach. The intrusion was detected on November 19 by a Marriott investigation after the company received an alert on September 8, 2018. Following the alert, Marriott says it tapped security experts as part of an investigation that ultimately discovered “unauthorized access” on its Starwood network. This access had been in place since 2014.
Marriott revealed the breach in a statement today, explaining that the impacted database contained guest information provided as part of the reservation process. The information pertained to Starwood properties, including Sheraton Hotels & Resorts, Element Hotels, and more, for reservations made on or before September 10.
The investigation revealed an unauthorized access on Starwood’s network since 2014, which included an “unauthorized party” copying and encrypting data before removing it. On November 19, Marriott says its experts decrypted the data, discovering that it was a guest reservation database. At this time, the company believes up to 500 million guests may be impacted by the data theft.
What data was leaked?
Of those 500 million guests, Marriott says that around 327 million had a combination of guess data exposed that could include things like names, passport numbers, addresses, and more. As well, “some” guests may have had their payment card information, including card numbers and expiration dates, stolen — though Marriott says they were encrypted with AES-128 encryption.
“There are two components needed to decrypt the payment card numbers, and at this point,” the company said, “Marriott has not been able to rule out the possibility that both were taken.”
Some impacted guests were more fortunate, with their stolen information potentially being limited to things like names, email and mailing addresses. An investigation is still underway; the company hasn’t stated whether it knows who is responsible for the intrusion.
What to do next
Marriott has set up a dedicated website for customers concerned or impacted by the data breach. The site includes FAQ and a number for a call center that will answer questions about the incident. Impacted guests will be receiving emails from the company that are rolling out starting on November 30. Those guests are given the option of enrolling in WebWatcher for free to monitor sites for their personal data.