Marriott International has addressed its recent security breach, which was revealed to have affected 500 million people.
According to a statement released by the company, unauthorised access was made to its Starwood guest reservation database, which contained guest information relating to reservations at Starwood properties on or before 10 September 2018.
This includes W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels.
Of the estimated 500 million guests possibly affected, approximately 327 million of those guests had provided their name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and, in some cases, payment card numbers and expiration dates.
During the investigation, it was found that there had been unauthorised access to the database since 2014.
Responding to the incident, Marriott president and CEO Arne Sorenson said the company deeply regrets what happened.
“We fell short of what our guests deserve and what we expect of ourselves,” he said.
“We are doing everything we can to support our guests, and using lessons learned to be better moving forward.
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre.”
Background
On 8 September 2018, Marriott received an alert from an internal security tool notifying them of an attempt to access the Starwood guest reservation database in the United States.
With the help of security experts, the company discovered an unauthorised party had copied and encrypted information from the database and took steps towards removing it.
On 19 November 2018, Marriott decrypted the information and determined that the contents were from the Starwood guest reservation database.
For some guests, their information includes payment card details, which were encrypted using Advanced Encryption Standard encryption. There are two components needed to decrypt the payment card numbers and, so far, Marriott can not rule out the possibility that both were taken.
Next steps
Sorenson confirmed the Starwood reservation system, which is on a different network to the Marriott system, will be phased out.
“We will also continue to support the efforts of law enforcement and to work with leading security experts to improve,” he said.
“Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
Marriott has set up a dedicated website to assist anyone affected by the security breach.
The company has suggested those affected enroll in WebWatcher if it is available in their country, to receive an alert if evidence of personal information is found online.
Marriott also recommends guests monitor their SPG account and payment card statements for any suspicious activity, change their password regularly and contact national data protection authority if they believe they are the victim of identity theft.