Marriott data breach: New York Attorney General opens investigation into hack that may have affected 500 million guests

The massive data breach may be one of the largest on record

Chris Riotta
New York
Friday 30 November 2018 17:00
Comments
Marriott Starwood hack: booking database data compromised in cyber attack that could affect half a billion people

New York’s Attorney General has launched an investigation into a major data breach impacting the global hotel chain Marriott.

Officials believe as many as 500 million guests who have stayed at Marriott hotels over the years could have been affected in the security breach, which may be among the largest on record.

“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a prepared statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

In a tweet Friday, Attorney General Barbara Underwood said residents need to know that their personal information is safe after Marriott revealed unauthorized access to data within its Starwood network has been taking place since 2014 in what may be among the largest data breaches on record.

Marriott acquired Starwood in 2016 and the process of merging its computer system with Starwood computers has been marred by technical glitches.

Email notifications to those who may have been affected will begin rolling out Friday. While the breach affected “approximately 500 million guests” who made a reservation at a Starwood hotel, some of those records could include a single person who booked multiple stays. The company manages more than 6,700 properties across the globe.

The company said credit card numbers and expiration dates of some guests may have been taken. For as many as two-thirds of those affected, data exposed could include mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

Asked for more details on the 500 million number, Marriott spokesman Jeff Flaherty said Friday that the company has not finished identifying duplicate information in the database.

An internal security tool signalled a potential breach in early September, but the company was unable to decrypt the information that would define what data had potentially been exposed until last week.

Support free-thinking journalism and attend Independent events

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it’s premature to estimate what financial impact the data breach will have on the company. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.

The Starwood breach stands out among even the largest security hacks on record. Hilton had two separate data breaches that exposed more than 350,000 credit card numbers. One breach began in November 2014 and another in April 2015. Yahoo had a data breaches in 2013 and 2014 that impacted about 3 billion of its accounts. Target also had an incident in 2013 that affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. Last year, Equifax disclosed a data breach that affected more than 145 million people.

Additional reporting by AP.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in