Marriott International has fallen victim to one of the worst data breaches on record, with up to 500 million customers’ data understood to have been stolen.
The breach affects the hotel giant’s Starwood division. While it’s the third in the last three years to hit the company, it’s the first to emerge after GDPR came into force in May.
An internal investigation revealed the attacker had access to Starwood’s customer database from 2014 until 10 September this year, putting the company at risk of fines up of to four per cent of its annual global turnover.
Sign up to Emerging Threats, our weekly cyber security newsletter
The hotel became aware of suspicious activity on 8 September. It subsequently discovered the attacker had copied and encrypted data, but took until 19 November to decrypt the information and confirm it was the Starwood guest reservation database.
In a statement posted to its website on Friday (30 November), the company announced that “for approximately 327 million of [the affected] guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences”.
The company added that “for some, the information also includes payment card numbers and payment card expiration dates”. “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.” In the remaining cases, the data included names and “sometimes mailing address, email address or other information”.
In the UK, the Information Commissioner’s Office and the National Cyber Security Centre confirmed they were investigating the breach. A spokesperson for NCSC said “we are working with partners to better understand the data breach affecting Marriott International and how it has affected customers”.
“The NCSC website includes advice for people who think they have been affected by a data breach, including guidance on suspicious phone calls and targeted emails that can be sent after a data breach.
“We also recommend that people are vigilant against any suspicious activity on their bank accounts and credit cards and contact their financial provider if they have concerns.”
Commenting on the breach, Sherban Naum, senior vice president at Bromium, said “laying dormant in systems is a common tactic for advanced cybercriminal groups and nation state actors, who will focus on staying hidden and taking time to exfiltrate data, obtain secrets and insert backdoors, ensuring long-term access.
“Often, hackers will gain a foothold through an unsuspecting users and spend time working their way through the network, escalating privileges in order to access a company’s crown jewels. The longer a hacker has access, the more damage they can do, so this is much more serious than a one-off breach, continuously putting customers at risk of targeted phishing attacks and card fraud.”
Marriott International is the world’s biggest hotel group. It acquired Starwood, which includes W Hotels, Sheraton, Le Meridien and Four Points by Sheraton, in 2016.