Marriott's Starwood hotels faced a major data breach across 2014 to 2018.

Mike Mozart/Flickr (CC-BY)

Marriott database breach exposes up to 500 million customers’ data

The breach began in 2014.


Ana Valens


Posted on Nov 30, 2018   Updated on May 21, 2021, 12:27 am CDT

If you’ve visited a Marriott-owned hotel in the past four years, you may want to change your passwords and double-check your credit card statement. The hotel recently identified a database breach that impacted up to 500 million customers over four years’ time.

In 2014, hackers received “unauthorized access” to the Starwood Hotels and Resorts reservation system’s database, which includes the Westin, Sheraton, and W Hotels, among others. That unauthorized party “copied and encrypted information” from the database. Two years later, Marriott purchased Starwood, but the parent company did not discover a breach until it noticed “unauthorized access” into the database on Sept. 8.

“The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property,” Marriott announced in an official statement, according to NBC News.

Marriott has since set up an official website detailing information on the hack and its impact on customers. According to the site, 327 million guests’ exposed data included “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

That exposed information also includes payment card numbers and expiration dates for “some” customers, although these cards were encrypted with Advanced Encryption Standard encryption. It remains unclear if that data was decrypted.

“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” Marriott announced.

For Marriott customers potentially impacted by the hack, the hotel chain has created a dedicated call center to answer questions about the breach, available seven days per week across various languages. Emails are rolling out to impacted guests as well, and the hotel chain is offering one-year access to WebWatcher, a service that monitors the internet to see if their personal information has been shared.

“From the start, we moved quickly to contain the incident and conduct a thorough investigation with the assistance of leading security experts,” Marriott wrote on its website. “Marriott is working hard to ensure our guests have answers to questions about their personal information with a dedicated website and call center. We are supporting the efforts of law enforcement and working with leading security experts to improve.”

Marriott may face more than customer unease. New York Attorney General Barabara Underwood has opened an investigation into the hack, stressing residents “deserve to know that their personal information will be protected.” Meanwhile, Marriott may face penalization if it violated the European Union’s General Data Protection Regulation.

“The size and scale of this thing is huge,” KPMG’s Privacy Advisory Practice’s global lead Mark Thompson told CNN, stressing that Marriott will “likely” face a penalty.

Marriott’s Starwood database breach is one of the largest personal information hacks in world history, eclipsed by Yahoo. In 2013, a network breach impacted three billion users after hackers stole names, phone numbers, birth dates, passwords, security questions, and backup email addresses from the web service.


H/T Twitter

Share this article
*First Published: Nov 30, 2018, 10:56 am CST