On Friday morning, the Marriott Corporation acknowledged there had been a massive data security breach involving the Starwood guest reservation database that occurred on or before September 10, 2018 that dated as far back as 2014.
In a public notice, Marriott stated that it had decrypted information and determined that the contents were from the Starwood guest reservation database, involving approximately 500 million guests who made a reservation at a Starwood property. The statement added:
For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
Marriott said it would be phasing out Starwood systems, and had established a dedicated call center to help customers with their questions. It also said it would offer guests the opportunity to enroll in WebWatcher, which monitors internet sites where personal information is shared and generates an alert to the consumer if something is discovered, free of charge for one year.
Reuters reported, “The Federal Bureau of Investigation said it was looking into the attack on Starwood, whose brands include Sheraton, St. Regis, W and Westin hotels. It advised affected customers to check for identity fraud and report it to the bureau’s Internet Crime Complaint Center. The hack began in 2014, a year before Marriott offered to buy Starwood to create the world’s largest hotel operator. The $13.6 billion deal closed in September 2016. “
Marriott spokesman Jeff Flaherty told Reuters, “We are still investigating the situation so we don’t have a list of specific hotels. What we do know is that it only impacted Starwood brands.”
Juan Jose Fernandez Figares, chief analyst at Link Securities in Madrid, told Bloomberg, “The breach is so big that the company may face a large fine from the authorities and the market is factoring that in. This is yet another company that has been hit by a hacking and a reminder to any company that manages customers’ personal data that they need to work harder to protect them from future attacks.”
Michael Bellisario, an analyst at Robert W. Baird & Co., added, “We know there’s going to be a cost, but how big will it be, I don’t know, I don’t think Marriott knows. Marriott’s biggest asset is the network effect of customers in the loyalty program. The big question is does it impact the Marriott brand, and the customer desire to be rewards program members? It’s still too early to tell.”
The only data breach larger than the apparent one at Marriott occurred in 2013, when three billion user accounts at Yahoo were exposed, costing Yahoo $47 million in litigation expenses. Retailers Target Corp and Home Depot Inc. each lost $200 million after data breaches in 2013 and 2014. In late 2016, InterContinental Hotels Group (IHG) was cyberattacked.
