International hotel chain Marriott announced today a security breach during which the personal details of 500 million hotel guests was stolen.
The breach happened in 2014, but Marriott says it became aware of it on September 10, two days after its staff spotted an alert from an internal security tool about an attempt to access the Starwood guest reservation database in the United States.
The hotel chain says it worked with leading security experts to investigate the alert. Investigators discovered the intrusion, dating back to 2014, but also that an unauthorized party had copied and encrypted information, and took steps towards removing it.
Marriott said forensic experts managed to decrypt the data attackers stole from the Starwood guest reservation database earlier this month, on November 19.
They said the attackers exfiltrated information on up to approximately 500 million guests who made a reservation at a Starwood property.
See also: Dell announces security breach | FBI dismantles gigantic ad fraud scheme operating across over one million IPs | Atrium Health data breach exposed 2.65 million patient records | Dunkin' Donuts accounts may have been hacked in credential stuffing attack
The Starwood hotel chain, which Marriott acquired in 2016, includes other hotel brands, such as W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Investigators said that for 327 million of the Starwood guests, the information that attackers stole included a name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
For some of these guests, payment card data was also stolen, but Marriott did not say for how many.
"For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)," the hotel said today in an SEC filing.
"There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken," the hotel chain added.
For the rest, up to 500 million, the data only included a name, and sometimes other info such as mailing address, email address, or other information.
Marriott started today notifying all affected guests via email. Hotel guests will also be able to visit a website that will be available later today at info.starwoodhotels.com for information about the incident. Where eligible, some users will also be able to enroll in a free identity monitoring service.
"We deeply regret this incident happened," said Arne Sorenson, Marriott's President and Chief Executive Officer. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."
"Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network," Sorenson added.
Previous and related coverage:
Radisson Hotel Group loyalty scheme members are affected and may have had their personal information stolen.
Hacker was selling 141.5GB of data from Huazhu Hotels Group. He also attempted to blackmail the hotel chain to pay for its own data.
Attackers in certain countries appear to have a particular focus on breaching organisations operating in the travel sector.
New research shows how hackers can manipulate hotel room key cards to gain access to an entire building.
Tencent security researcher hacks hotel without authorization and publishes a blog post about it containing unredacted information.