World-wide hotel chain Marriott has today announced a huge security breach affecting the personal details of 500 million hotel guests, stolen during an attack.
Whilst the sheer volume of the attack is staggering, perhaps most worrying is the fact that the breach happened in 2014, but Marriott says it only became aware of it on 10th September, two days after its employees spotted an an internal security alert about an attempt to access Marriott’s Starwood guest reservation database, located in the United States.
Marriott has explained that is has been working with leading security experts to investigate the incidents, revealing that an unauthorised party (details yet to be confirmed) had copied and encrypted information, and then took steps towards removing it.
Arne Sorenson, Marriott’s President & CEO. commented:
“We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.”
Forensic experts subsequently managed to decrypt the data stolen from the database on 19th November, earlier this month.
It is estimated that up to approximately 500 million guests who made a reservation at a Starwood property have been affected.
The database is likely to have included personal data for guests staying at any of the hotel brands under the Starwood hotel chain name, including; W Hotels, St. Regis, Le Méridien Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Sheraton Hotels & Resorts, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Design Hotels and Four Points by Sheraton.
At the time of writing, it is thought the attack has breached names, postal addresses, phone numbers, email addresses and passport numbers, which makes the data an ideal target for would-be identity thieves. In addition, some other information such as date of birth, gender, arrival and departure information, reservation date, and communication preferences could have also been compromised.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128),”
Marriott have today started contacting all affected guests via email and will be encouraging hotel guests to visit info.starwoodhotels.com for information about the data breach. In addition, it is reported that Marriott are to offer free identity monitoring service to eligible victims.