A MASSIVE DATA breach in Marriott International’s Starwood guest reservation database has jeopardized the personal information of potentially half a billion guests. The breach, and one of the largest in a series of recent data breaches in hotel computer systems, apparently has been bleeding information out for four years.
Marriott said the investigation into the breach began in September after one of its internal security tools detected an attempt to access the database in the U.S. It determined that since 2014 an unauthorized party had been copying and encrypting information from the database. While the company is still sifting out duplicate data, it currently believes that the data came from about 500 million guests.
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” the company said. “For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption.”
Other information included mailing and emailing addresses. The company has reported the breach to law enforcement and regulatory agencies. Starwood brands include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included in the database.
“We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center,” said Marriott President and CEO Arne Sorenson. “We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
The dedicated website is info.starwoodhotels.com, and the call center is open 24/7 in multiple languages. Also, the company is sending email notifications to affected guests on a rolling basis, and they are offering free enrollment in WebWatcher, a service that monitors the internet for usual activity with clients’ information.
The Marriott breach is second in size only to the 2017 breach at Yahoo that affected 3 billion accounts, according to CNN.com. CNN also reported that Marriott’s stock fell 4 percent in premarket trading Friday on news of the breach.
In October, Radisson Hotels found a breach in its Radisson Rewards system. In that breach, an unauthorized party gained access to some member’s name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flyer numbers on file.
The company revoked the unauthorized access and flagged all affected accounts to monitor for suspicious behavior. It also warned members to look out for attempts to “social engineer” attempts to get more information.
“You should also be aware that third parties may claim to be Radisson Rewards and attempt to gather personal information by deception (known as ‘phishing’),” the company said. The phishing can include links to fake websites. “Radisson Rewards will not ask for your password or user information to be provided in an e-mail.”
Last year saw several data breaches at major hotel chains. In May Sabre reported a breach in its online reservation system that did compromise payment card information. Around the same time Hard Rock Hotel properties reported a breach in its reservation system as well.