Marriott BreachUpdated: Feb. 18, 2019

The hospitality industry has been rife with data breach woes for a number of years now, and it seems that we aren’t done learning about hotel-based data breaches. Marriott just revealed that a whopping 500 million customers of its Starwood properties could have had some of their information compromised in a breach that first began in 2014 and went unnoticed until earlier this fall. If that isn’t shocking enough, it’s possible this breach could be related to one that Starwood disclosed in 2015, making us wonder whether any steps were taken in the years between to improve cybersecurity within the company or not. Keep reading to learn what you need to know about how this breach occurred, who might be impacted and what Marriott is doing about it.

How was the breach discovered?

According to information published on its website, the breach — originally believed to have occurred four years ago in 2014 and remained undetected until now — was discovered on Sept. 8, 2018 when employees received an alert from an internal security tool. This alert showed that someone had attempted to access the U.S. Starwood guest reservation database, and further investigation determined that the intruder had copied and encrypted some of the information, then made attempts to remove it from the database. Upon decrypting this data on Nov. 19, 2018, it was determined that it had indeed come from the Starwood guest reservation database. Marriott says it has notified authorities and will be working with them and cybersecurity experts to learn more about this breach and improve security in the future.

Which Marriott properties are involved?

Only properties within Marriott’s Starwood portfolio, which it acquired in 2016, are involved in this data breach. Marriott-branded hotels use a different guest reservation system that exists on a separate network. It’s interesting to note, as Krebs on Security does, that Starwood reported a data breach in 2015 shortly before the Marriott acquisition was announced. That breach was thought to have begun in 2014 as well, though it centered around point-of-sale systems at cash registers, not the guest registration database. There’s no indication yet whether or not this breach is related to that one or a separate incident.

Per the FAQ on its breach page, Marriott says that Starwood properties include: “W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program. Starwood branded timeshare properties are also included.”

Who and what was exposed?

As of yet, Marriott has not finished identifying duplicate information in the database, but it’s believed that upwards of 500 million people may be impacted — making this the second largest data breach on record, second only to the Yahoo breach. According to Marriott, around 327 million people’s names, phone numbers, email addresses, Starwood Preferred Guest information, passport numbers, dates of birth, gender and arrival/departure dates (or a combination of some of this information) were exposed, while millions of others also may have had their credit card numbers and expiration dates compromised. The company notes that the latter information was encrypted using Advanced Encryption Standard (AES-128), which means two components were required to decrypt the information; at this point, Marriott has not been able to rule out whether or not both were taken. This breach is significant not only due to its sheer size, but also because its victims are citizens from all over the world — to wit, the company has set up separate websites for U.S., Canadian and U.K. victims to get information.

An update posted to the official website set up for data breach news and information on Feb. 15, 2019 reported that the company’s investigation had concluded that around 383 million unique guests were impacted. This was determined after analysis of the data and efforts to remove as many duplicate entries as possible. Furthermore, Marriott said it believes that approximately 8.6 million unique payment card numbers were involved (all encrypted), as well as 5.25 million unencrypted passport numbers and a further 20.3 million encrypted passport numbers.

How is Marriott handling the situation?

As is custom after data breaches like this are uncovered, the company has notified law enforcement of the breach. The New York attorney general, where the company’s headquarters are based, has launched its own investigation, as have the attorneys general in Maryland and Pennsylvania. It’s likely that the hotel company will face stiff penalties for violations of the European GDPR privacy laws that went into effect earlier this year, since many of the affected customers include European residents.

Marriott will be notifying anyone who is possibly impacted by email shortly, and it provided some tips to help customers ensure any emails they receive are legitimate. These include double-checking that the email comes from, does not have any attachments, does not request any information and only links back to the Kroll website. Going forward, all impacted guests are being offered a free WebWatcher membership, provided by Kroll Cybersecurity, though the site notes that the product may not work for residents of certain countries. U.S. residents will also be able to take advantage of two additional benefits: fraud loss reimbursement, which will refund out-of-pocket expenses related to any one stolen identity event (up to $1 million for covered legal costs and expenses), and unlimited consultations with Kroll fraud specialists. Marriott also instructs Starwood Preferred Guest members to monitor their accounts for signs of suspicious activity, and all potential victims to keep an eye on their credit card statements for signs of fraud.

What can potential victims do to protect themselves?

You can take advantage of the WebWatcher membership if you wish, though if any identity theft has or is going to occur as a result of this breach, there’s little that anyone can do to prevent it. If you’re a Starwood Preferred Guest member, take the time to change your login details, and keep tabs on your credit or debit card statements (if you don’t already do this, it’s never a bad time to start). Placing a freeze on your credit reports is one of the best things anyone in the U.S. can do for themselves (they’re free now!), as this helps mitigate some of the damage a person with your information can do. If you want to keep a close eye on what’s happening with your credit reports, you can also opt to sign up for a credit monitoring service — at the very least, you’ll want to get into the habit of checking your credit reports yourself once a year. Finally, keep an eye out for further communications from Marriott. Since this is an ongoing investigation, it’s likely more details will be released in the coming months.

To keep up with the latest news when it comes to data breaches and other cybersecurity matters, don’t forget to bookmark our cybersecurity blog.