Today (30th of November 2018) Marriott International announced that its Starwood booking database in the US had been hacked.
Marriott was alerted to the intrusion on 8th September and, according to its site, “quickly engaged leading security experts” to determine what had occurred.
In a statement on its website, Marriott said: “The company recently discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.”
During the investigation process, the company discovered that there had been unauthorised access to its network since 2014. Marriott said it reported the incident quickly to law enforcement and has already started the process of notifying regulatory authorities.
Of the estimated 500 million affected, 327 million guests had information that includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences compromised.
The company said that for some, the information included payment card numbers and expiration dates but said that the card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). However, Marriott admitted that it had not been able to rule out the possibility that both were taken. According to the statement, for the remaining guests, the information was limited to name and sometimes other data such as mailing address and email address.
Marriott CEO Pledges to Remedy the Situation
Arne Sorenson, Marriott’s president and CEO, said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.
“Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
To support those affected the company has established a dedicated website and call centre to answer questions about the incident. As of today, the company said it will begin sending emails on a rolling basis to affected guests whose email addresses in the Starwood guest reservation database.
It will also be providing guests with the option to enroll, free of charge, for one year in WebWatcher, a service that monitors internet sites where personal information is shared and generate an alert to the user if evidence of their personal information is found.