Marriott data breach could hit 500 million customers
●Hackers have had unauthorised access to guest details since 2014
The records of 500 million customers of the hotel group Marriott are at the centre of what is believed to be the world’s biggest data breach.
Marriott announced yesterday that the guests’ data may have been exposed during breaches in a reservation database that began in 2014.
The “data security incident” hit the system for its Starwood portfolio, which includes Trump Turnberry in Ayrshire as well as London’s Park Lane Sheraton Grand, Westbury Mayfair and Le Meridien Piccadilly. Work is continuing but the firm said the breached database contains the information of up to half a billion guests who booked before 10 September.
The database stored information including passport numbers, dates of births, names, addresses and phone numbers for 327 million guests.
Payment card numbers and expiration dates were also stored for some.
Marriott, which bought Starwood in 2016, is yet to establish how many UK customers have been affected.
Other hotels which were
hit include The Park Tower Knightsbridge, a Luxury Collection Hotel, The Wellesley, a Luxury Collection Hotel, The Great Northern, a Tribute Portfolio Hotel, Sheraton Heathrow Hotel, W London, Leicester Square, Town Hall Hotel & Apartments, London, and Blakes Hotel London
The breach was spotted in the Starwood guest reservation database in the US on September 8 and the company “discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it”, a statement said.
Security experts determined there “had been unauthorised access to the Starwood network since 2014”, it added.
Researchers decrypted the information and determined its contents were from the Starwood reservation databases on November 19, Marriott said.
Marriott president and chief executive Arne Sorenson said: “We deeply regret this incident happened.
“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The Maryland-based firm, which has hotels across the globe, said law enforcement agencies are investigating.
Payment card numbers are encrypted using a method that requires two components to break it, a statement said.
“Marriott has not been able to rule out the possibility that both were taken,” it added.
The National Crime Agency said it is making inquiries, and the New York Attorney General has also opened an investigation.
The Information Commissioner’s Office (ICO) has began making inquiries over the breach and has the power to impose large fines.
“We have received a data breach report from Marriott Hotels involving its Starwood hotels and will be making inquiries,” a spokeswoman said.
“We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online.” Facebook was fined £500,000 over the Cambridge Analytica scandal which saw an estimated 87 million users’ data breached, but the tech giant has mounted an appeal.
COMMENT “We advise people who may have been affected to follow advice from the ICO and National Cyber Security Centre websites”
ICO
e live at the dawn of what has been dubbed the Information Age, a time of stunning technological change – on a par with the Industrial Revolution – that has already transformed the world and will continue to do so.
However, if anyone had any notion that criminals, despotic regimes and others with malign intent would not seek to exploit such rapid developments, then the theft of personal information from a database of up to 500 million customers of the Marriott International hotel group should put them straight.
It should also act as a significant wake-up call to companies and governments who wish to make a success of the Information Age by ensuring it works for ordinary people and does not become a lawless era, a cyber ‘Wild West’ in which the digitally clumsy fall prey to more dextrous, but immoral, minds.
There have been previous largescale data hacks, but this latest incident – the second-largest in history – has some alarming features beyond its sheer scale.
The thieves may now be in possession of personal details like name, address, phone number, passport number, bank account details and date of birth, which represents quite a coup for those skilled at identity theft and online fraud, if that is their motive. Also, the hack began in 2014 and was only discovered on 10 September this year. According to one expert, four years is an unusually long time for such a breach to occur, but the average detection time of 200 days is hardly encouraging.
Every major economy now depends, to a significant extent, on the ability to share large amounts of data at the touch of a button. The system has become, as the saying goes, too big to fail. There will always be a temptation for companies to try to brush problems under the carpet to minimise the reputational damage.
In the EU, the General Data Protection Regulation came into force in May, billed as the “most important change in data privacy regulation in 20 years”. Under its provisions, organisations can be fined up to €20 million (about £17.8m) or four per cent of their annual global turnover for failing to handle someone else’s data correctly.
It remains to be seen if Marriott is now in trouble and also whether these rules are indeed tough enough.
But they will need to be if the Information Age is avoid to becoming the Stolen-information Age.