One of the largest data breaches in history may have exposed the personal information of up to 500 million people who made a reservation at one of Marriott’s Starwood hotel chains.
Marriott disclosed on Friday hackers had gained “unauthorized access” to the Starwood reservation system since 2014 but it was not alerted to a possible intrusion until Sept. 8, 2018.
A subsequent investigation determined “an unauthorized party had copied and encrypted information, and took steps towards removing it,” the company said in a news release, and on Nov. 9, “Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”
The Starwood chains, which Marriott acquired in 2016, include St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points, and W Hotels.
Starwood’s reservation database contains information on up to approximately 500 million guests. Marriott said the exposed information for 327 million people includes names, phone numbers, email addresses, and passport numbers, and, for some, Marriott cannot rule out the possibility that payment card numbers and expiration dates were also compromised.
“We deeply regret this incident happened,” CEO Arne Sorenson said. “We fell short of what our guests deserve and what we expect of ourselves.”
According to CNN, the breach is the second-largest in history, behind only an attack on Yahoo that compromised 3 billion accounts. Security experts expressed particular concern that the Starwood database includes rarer prizes for hackers, such as passport numbers, travel locations, and arrival and departure dates.
“This is extraordinarily intimate data,” Edward Hasbrouck, a travel writer and critic of security systems for computerized travel records, told The Washington Post. “The travel industry has been grossly negligent compared to many industries when it comes to data privacy and security.”
The states of New York, Maryland, and Pennsylvania have already opened investigations into the breach. “We want to know who was affected, what personal info was compromised, how it happened, and when Marriott knew about the breach,” Pennsylvania Attorney General Josh Shapiro said.
Image: flickr/Peter Kaminski