500million guests hit by Marriott hotel data hack
THE personal details of 500million Marriott hotel group customers have been accessed by hackers in one of the largest data breaches in history.
Information including credit card details and passport numbers may have been stolen in the attack, which began in 2014, the world’s largest hotel group said. The company yesterday announced that it was investigating the security lapse involving the guest database of its Starwood arm, which includes brands Sheraton, W Hotels, and Le Meridien.
Marriot-branded hotels use a separate reservation system and are not affected.
Millions of Britons who have stayed at the brand’s hotels around the world since 2014 and guests at flagship central London properties including the Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly could be at risk. But the company said it could not yet identify the exact number of Britons involved.
The company has begun emailing affected customers and has opened a call centre for guests who think they are at risk.
Marriott is also providing customers in the UK, US and Canada with free access to a ‘WebWatcher’ internet security package. However, a spokesman for the National Cyber Security Centre warned customers to be on their guard for ‘suspicious phone calls and targeted emails that can be sent after a data breach’.
Oz Alashe, of cyber security training platform CybSafe, said: ‘This is one of the most extensive, destructive data breaches of recent history. The variety of confidential private details that have been compromised – everything from customers’ names to their payment card details – can be easily leveraged for targeted phishing attacks, identity fraud, and even financial fraud.’
It is feared customer details could be posted to the Dark Web, where they can be sold on to criminals.
Marriott acquired Starwood, which also includes St Regis, The Luxury Collection and Four Points by Sheraton hotels, in 2016 – when hackers had already had access to guests’ personal data for two years.
‘Private details compromised’
Security experts yesterday accused Marriott of failing to carry out due diligence during the multibillion-pound takeover, which made it the world’s largest hotel chain.
Revealing details of the hack for the first time, Marriott said that after receiving an alert on September 8, a cyber security team found there had been ‘ unauthorised access to the Starwood network since 2014’.
But it was not until November 19 that the chain was able to determine the contents of the leak came from the Starwood database.
It said approximately half-a-billion guests who had made a reservation at a Starwood property on or before September 10 were affected.
For 327million people, ‘some combination’ of name, address, phone number, email address, passport number, Starwood account information, date of birth, gender, arrival and departure information and reservation date had been accessed.
It added that payment card numbers and expiration dates had also been taken in some cases and it has ‘not been able to rule out the possibility’ that the components needed to decrypt this information had been taken.
For the remaining 170million customers, hacked data was ‘limited’ to a combination of name, address and email address, it said.
The Maryland-based firm confirmed that law enforcement agencies were investigating the breach.