Data Regulator Probes ‘Colossal’ Four-Year Marriott Breach

Matthew Broersma,
security, hacking

The hack exposed personal data and card information on up to 500m customers of Marriott’s Starwood hotels dating back to 2014

The UK’s data protection agency has said it is investigating a “colossal” hack on Marriott International that affected personal details and payment card data on up to 500 million people dating back to 2014, while a security expert said the incident painted a “grim picture” of the security arrangements in place for the world’s largest hotel chain.

The incident affects Marriott’s Starwood subsidiary, which operates Sheraton, Ritz Carlton and Autograph Collection hotels, including London’s Sheraton Grand Park Lane and Le Méridien Piccadilly and Edinburgh’s Sheraton Grand.

It began before Marriott’s acquisition of Starwood in 2016, but was not uncovered until an internal security tool detected an attempt to access the Starwood guest reservation database on 8 September of this year.

The company then launched an investigation which uncovered “unauthorised access” to Starwood systems dating back to 2014.

Card data stolen

Marriott said it “recently” discovered that an unauthorised party had copied and encrypted information and had taken steps toward removing it.

“On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database,” the company said in a statement.

For some 327 million of the customers affected, the information includes data such as name, mailing address, phone number, email address, passport number, date of birth, gender, arrival and departure information, while for “some” the data also includes payment card numbers and expiration dates.

The card numbers were encrypted, but Marriott said it had not been able to rule out that the decryption keys were also taken.

The company said it had reported the incident to law enforcement and has begun notifying regulators and customers.

“We deeply regret this incident happened,” said Marriott chief executive Arne Sorenson.

Regulatory probe

The UK Information Commissioner’s Office said it was “making enquiries”.

“We have received a data breach report from Marriott involving its Starwood Hotels and will be making enquiries,” the ICO said. “If anyone has concerns about how their data has been handled they can report these concerns to us.”

Consumer rights organisation Which? said the breach was “on a colossal scale” and would be of “great concern” to Marriott customers, while warning that scammers could take advantage of the incident via fraudulent emails.

The incident is likely to draw attention from the ICO and other European regulators over the scale of the issue and the delay in making it public.

Nominet chief technology officer Simon McCalla said the long period of time during which hackers had access to Marriott’s systems was “concerning”.

“The company received an internal security alert in September of this year – four years after the initial breach,” he said. “This paints a grim picture of the security system they had in place and how susceptible they were to threats from outside the business.”