Marriott hack hits 500 million Starwood guests

SheratonImage copyright Getty Images

The records of 500 million customers of the hotel group Marriott International have been involved in a data breach.

The hotel chain said the guest reservation database of its Starwood division had been compromised by an unauthorised party.

It said an internal investigation found an attacker had been able to access the Starwood network since 2014.

The company said it would notify customers whose records were in the database.

Starwood’s hotel brands include W Hotels, Sheraton, Le Méridien and Four Points by Sheraton. Marriott-branded hotels use a separate reservation system on a different network.

Marriott said it was alerted by an internal security tool that somebody was attempting to access the Starwood database. After investigating, it discovered that an “unauthorised party had copied and encrypted information”.

It said it believed its database contained records of up to 500 million customers.

For about 327 million guests, the information included “some combination” of:

  • name
  • address
  • phone number
  • email address
  • passport number
  • account information
  • date of birth
  • gender
  • arrival and departure information

It said some records also included encrypted payment card information, but it could not rule out the possibility that the encryption keys had also been stolen.

You may also like:  R.I.P: Kofi Annan's daughter cries as she sets eyes on his body

“We deeply regret this incident happened,” the company said in a statement.

“Marriott reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities.”

The company has set up a website to give affected customers more information. It will also offer customers in the US and some other countries a year-long subscription to a fraud-detecting service.

In a statement, the UK’s Information Commissioner’s Office said: “We have received a data breach report from Marriott involving its Starwood Hotels and will be making enquiries. If anyone has concerns about how their data has been handled they can report these concerns to us.”


Analysis

by Chris Fox, technology reporter

It’s not the biggest data breach we’ve ever seen (that dubious honour goes to Yahoo!) but it’s certainly up there with some of the worst.

Not only were up to 500 million customer records accessed and potentially copied, but the attackers had unauthorised access since 2014.

And even though payment card information was encrypted, the company thinks the key may have been stolen too.

The UK’s data regulator has confirmed it is investigating, and so the threat of a whopping GDPR penalty looms.

You may also like:  Chile unveils Patagonian Route of Parks hiking trail
Image copyright Getty Images
Image caption The Marriott group has hotels around the world

Although the Marriott group is headquartered in the US, it has to comply with the EU’s GDPR rules when dealing with citizens in the EU.

The way it has disclosed this breach, notified customers and offered fraud-checking services will certainly help its cause.

But the ICO and other international regulators may rule the company has been too slow to act.

As always with a big data breach, be aware that scammers may send out emails claiming to be from the Marriott group.

The hotel chain says it will not send any notification emails with attachments, and will not request any information from its customers.

It has urged people to check for the latest information on its official help website.


Has Marriott International contacted you to say your details have been compromised? Please email us at

Please include a contact number if you are willing to speak to a BBC journalist. You can also contact us in the following ways:

Share this News
Ads Blocker Detected!

We show Ads on Ajibotic.com to help fund its maintenance. Ad revenue is only Our Source Of Income. If you like our News Website  please support our efforts by allowing ads on our site.

Thank You!

Close