This morning Marriott disclosed that its Starwood guest reservation database had been breached by an unauthorized account since as far back as 2014. According to the hotel chain, as many as 500 million guests were potentially impacted. This attacker, says Marriott, “copied and encrypted information.” The company says it was subsequently able to decrypt and learn what the party had accessed.
Marriott gave a rundown of what the hackers likely accessed:
- Around 327 million guests had the following information breached: “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”
- For some of those guests, that included both credit card numbers and expiration dates. Marriott says it does encrypt that data; however, the company has been unable to determine if the attackers were able to access the two components needed to decrypt them.
- The other guests impacted had their names and perhaps their addresses breached–along with “other information.” It’s unclear what that other information could mean.
Marriott says it is working with law enforcement and is now informing regulatory authorities.
Beginning today, the company will be emailing customers who were impacted. It’s also set up a dedicated website and call center. In addition, Marriott is offering impacted customers access to the WebWatcher service for one year, so that they can monitor their personal data as more becomes known about this breach. “We deeply regret this incident happened,” said CEO and president Arne Sorenson in a statement.
Overall, this is an extremely severe situation–it seems to be on a larger scale than the Equifax breach from 2017. It’s becoming more and more commonplace for large companies to be hacked. The real victims continue to be the hundreds of millions of customers who put their trust in these organizations.
For now, we know very little about exactly what happened and how the company plans to react. We’ll see if Marriott is able to respond adequately to this highly disturbing announcement.