Marriott Hotels group has confirmed that its Starwood Hotels guest database of 500 million customers has been stolen in a data breach. Marriott-owned Starwood Hotels is the largest hotel chain in the world, with more than 11 brands covering 1,200 properties around the world. Its brands include Elements Hotels, Sheraton Hotels, St. Regis Hotels, Westin Hotels and W Hotels, Element and more. Starwood branded timeshare properties are also included.
Marriott filed a statement with U.S. authorities that said in part that “unauthorized access” to its guest database was detected on or before September 10, 2018. The company also said that access of Starwood customer data might date back to 2014.
In its statement, the company said: “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. (and) Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.”
Many of the details of the data hack remain unknown at this time. According to Starwood, it was able to obtain a copy of the database and decrypt it on November 19. The company forensically examined the data and “determined that the contents were from the Starwood guest reservation database.”
The majority of the data, 327 million records, contained a guest’s name, date of birth, gender segment passport number, email address, postal address and phone number. Other information included reservation dates, arrival and departure information, Starwood points and rewards information and guest communication preferences.
The 327 million guest records include guests from Asia – including guests from China, Japan, Southeast Asia, South Korea and other areas. Guests from Africa, Canada, Europe and the United States who stayed with Starwood Hotels also had their data breached. Starwood said that an unknown number of records also contained encrypted credit card data.
In its statement to media, Marriott said: “Marriott reported this incident to law enforcement and continues to support their investigation.” The company said that its Marriott hotels are not believed to be affected as its reservation system is “on a different network,” following Marriott’s acquisition of Starwood in 2016.
Legal experts note that the data breach falls under the GDPR European-wide rules and that Starwood may face significant financial penalties of up to 4% of its global annual revenue if found to be in breach of the rules.
Since the data hack became known, Marriott and Starwood have faced intense scrutiny and scorn by IT experts over the company’s incompetent security systems. Experts noted that if Starwood knew of data breaches in 2014 that it should have upgraded its network and security systems and reported the original breach as soon as it happened so that customers were protected.
The company has also been criticized in U.S. media over its notification emails last week that went out to 500 million people on third-party servers that could have been spoofed by outsiders. An article in TechCrunch said: “Companies should host any information on their own websites and verified social media pages to stop bad actors from hijacking victims for their own gain.”
Legal experts across the globe are now looking at whether class-action lawsuits should be pursued against Starwood and decisions on this will be made in the weeks to come. In the meantime, security experts recommend that anyone who stayed in a Starwood brand hotel during the last 5-years should immediately review their account and change password and security information. They also recommend that customers also update their password and security information on any additional sites that may be linked to Starwood from airline, car rental, travel and retail companies and that if any of their data appears to be compromised that they notify Starwood immediately as well as their local bank and police authorities.