Marriott Starwood hack: Booking database data compromised in cyber attack that could affect half a billion people

Hackers may have had the information for four years before hotel company noticed

Andrew Griffin@_andrew_griffin
Friday 30 November 2018 12:48
Marriott Starwood hack: booking database data compromised in cyber attack that could affect half a billion people

A booking database run by the Marriott hotel chain has been hit by a vast hack that could affect half a billion people.

The vast collection of people’s personal information, used to book rooms at its Starwood properties, has been accessed by unauthorised people since 2014, it said.

The cyberattack included information about those people’s credit cards that could be used to steal money, Marriott warned.

That sensitive information was protected by encryption that should have meant it was unreadable even if people had access to the database. But the hackers may also have stolen the keys needed to decrypt that data and see what it said, the company warned.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and chief executive. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.

“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

Marriott was first alerted to a potential breach in September, it said, when an internal security tool found someone was trying to access its database. It then found that people seemed to have been in the database since 2014, and they had copied information apparently with a view to taking it.

The company said it had informed law enforcement and was working with them on the investigation. It said it is also notifying the relevant regulatory authorities – in Europe, those regulators can impose substantial fines for such breaches, under new data protection regulation.

It also said it had set up a dedicated website and call centre for customers who fear their data might have been part of the hack, and will start sending out emails to customers immediately. Customers will also be given a year’s free access to a monitoring service, which will crawl the internet to see if their personal information is being shared.

Marriott bought Starwood in 2016, adding a host of luxury hotels and resorts and creating what it said was “the world’s largest and best hotel company”.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments