Marriott's Starwood reservation database hacked; information of 500 million guests compromised

Marriott revealed on Friday that its Starwood reservation database was breached by hackers. As many as 500 million customers could be affected.

What are the details?

In 2016, Marriott International had purchased Starwood Hotels & Resorts Worldwide for $12.2 billion. This brand includes the W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, Design Hotels.

In a news release, Marriott revealed that the hack involved information from reservations on or before Sept. 10. The company had first revealed a security alert on Sept. 8, and when it investigated it discovered that someone had copied, encrypted, and removed information. This unauthorized person had access to the system since 2014.

On Nov. 19, the company determined that the stolen information had been taken from the Starwood database.

The company has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property.  For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.  For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).

Marriott said that the hackers would need “two components” in order to decrypt credit card numbers, but that it had not yet determined whether or not both of these components had been stolen.

What did the Marriott president say?

Marriott President and CEO Arne Sorenson said that the company “deeply” regretted that this incident took place.

“We fell short of what our guests deserve and what we expect of ourselves," Sorenson said. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Sorenson also said that the company planned to completely phase out the Starwood systems and enhance their security to prevent future cyber attacks. The hotel is cooperating with law enforcement and has notified regulatory authorities.

Guests whose information was compromised should be receiving an email from Marriott.

This hack is the second largest corporate data breach ever. The largest was the breach of Yahoo in 2017 that affected 3 billion accounts.