LONDON – The Marriott hotel group has revealed that it suffered one of the biggest corporate data breaches in history. Attackers stole personal data from half-a-billion customers contained in the reservation database used by the company’s Starwood Group. The stolen data related to reservations at Starwood hotels from 2014 until 10 September 2018. It includes highly sensitive information like credit card details and passport numbers.
Marriott Cyberattack Lasted 4 Years
Announcing the security breach, Marriott said that hackers had had unauthorized access to its network for four years. In a statement released Friday, the hotel group said:
On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.
The investigation ended on 19 November, said Marriott. This means that it took the hotel group 20 days from confirming the attack to notifying its guests about it.
Marriott also said that for 327 million of the 500 million guests affected, the stolen information included some combination of highly sensitive data such as address, phone number, email and passport number. At the time of this writing, Marriott could not confirm whether hackers had been able to decrypt customers’ credit card numbers.
However, it is the length of the attack that will be most shocking to many people. Various cybersecurity experts have pointed out that the fact that attackers were able to remain in Marriott’s network for four years indicates major flaws in its cybersecurity setup. Nominet Chief Technology Officer, Simon McCalla, told Computer Weekly: “Ensuring threat monitoring and security systems are able to catch threats when they first interact with your critical systems is vital.”
Responding to the Attack
Arne Sorenson, Marriott’s President and Chief Executive Officer said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott has taken a variety of steps to help guests affected by the attack. It has established a dedicated website and call center and is notifying affected guest by email. It is also giving guests one year’s free subscription to Webwatcher data security software.
“We are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network,” said Mr. Sorenson. Marriott purchased Starwood in 2016. The Starwood group includes St. Regis, Westin, Sheraton and W Hotels.
Big Fines Headed Marriott’s Way
As a result of this incident, the firm may have breached new European data protection rules brought in via the General Data Protection Regulation (GDPR). The regulation means that a company can be fined up to 4% of its annual turnover for data breaches.
A spokesperson for the UK’s Information Commissioner’s Office said: “We have received a data breach report from Marriott Hotels involving its Starwood Hotels and are making enquiries. We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online.”