Marriott today revealed a massive security breach that affected its Starwood reservation system. The breach played out over four years and potentially exposed the personal information of around 500 million guests. A portion of those affected guests may have had credit card information exposed too, so to say this breach is “pretty bad” would likely be understating it a bit.
Marriott discovered this extensive breach following an investigation on November 19, 2018. It notes that a third-party gained unauthorized access to a database for Marriott’s Starwood brand, which held information on guest reservations for those properties placed on or before September 10, 2018. It sounds like that third-party had copied and encrypted the information housed in that database before Marriott discovered that there was an issue. That, as you’ve probably already guessed, is not good.
Even more troubling is that this third-party had access to the database since 2014. Though Marriott says that it’s still working to decrypt the information that was stolen, it believes that it “contains information on up to approximately 500 million guests who made a reservation at a Starwood property.” For around 327 million of those guests, the compromised data includes some combination of “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
Further, for some of those guests – Marriott wasn’t clear on just how many – the compromised data includes card numbers and expiration dates. Marriott says that the card information stored on that database was encrypted using AES-128, but it also notes that the third-party may have made off with the two components needed to decrypt that information. Here’s a list of Starwood properties that potentially had information stored on that server:
W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.
So, if you stayed at one of those properties at any point in the last four years, there’s a possibility that your information was compromised in this breach. Marriott has set up a dedicated website and call center to provide information about the breach, and it’ll begin sending out emails to affected guests today. It’s also offering affected customers a free year-long subscription to WebWatcher, which you can sign up for at the website linked above.
If you think that your information was included in this breach – or, indeed, you receive a notification that it was – it’s probably a good idea to at least watch your credit card statements closely for a while. We’ll see what happens from here, but as far as security breaches go, this is one of the worst we’ve heard about in a long time. Stay tuned.