Hackers accessed upto 500 million customer records in Marriot Hotels’ Starwood reservation system in an attack which began four years ago, the hotel said last week.
. The exposed data included payment details and account information, among other things.
- 327 million exposed accounts included names, mailing address, phone number, email address, passport numbers, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
- Some records included payment card numbers and card expiration dates, although cards were encrypted using AES-128
- For other guests, the exposed information was limited to mailing address, email address, or other information
Marriott has reported the incident to law enforcement and has begun notifying regulatory bodies.
“Marriott deeply regrets this incident happened. From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts. Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center,” the company said in a statement
Marriott first learned of the unauthorized breach on September 8, and the fact that the system was exposed since 2014. By November 19, Marriott was able to decrypt the information and determine that it was from the Starwood reservation database. Marriott’s Starwood brands include St. Regis, Le Meridien, and Westin Hotels, among others.
Attorneys have filed a lawsuit in a US federal court within hours of the breach notification, reported Reuters. The lawsuit seeks class-action status for affected customers. The lawsuit also accuses Marriott of negligence, deceptive and unfair trade practices, and seeks compensation for harm caused due to the exposure. The UK’s Information Commissioner has said it will investigate the attack.
Marriott’s Twitter account is flooded with customers asking about their own information.
@vincentius_e We understand your concern. We began sending emails on Nov 30, 2018 to affected guests. Due to the volume, you may not receive yours immediately.
— Marriott Internat’l (@MarriottIntl) December 2, 2018
Are you planning to email your rewards members? We’re more than 24 hours into these revelations and not everyone is going to come and hunt you down on social media. Why did you wait for me to reach out? https://t.co/NcBascXqy0
— Yasmine El-Sabawi (@yasmineelsabawi) December 1, 2018
What the Marriott is doing now
- Marriott began notifying affected customers of the breach starting November 30.
- Marriott is running a 24×7 call center in multiple languages to answer questions about their personal information being exposed.
- The group will phase out Starwood systems and improve security on its network.
- Customers can enrol in WebWatcher, provided it is available in their countries. Guests from the US who enroll in WebWatcher will be provided fraud consultation services and reimbursement coverage free of charge. WebWatcher monitors internet sites where personal information is shared and generates an alert if evidence of your personal information is found.