Guests’ hotel data hacked
500 million customers of Marriott properties thought vulnerable
NEW YORK — Hackers stole information on as many as 500 million guests of the Marriott hotel empire over four years, obtaining credit card and passport numbers and other personal data, the company said Friday as it acknowledged one of the largest security breaches in history.
The full scope of the failure was not clear. Marriott was trying to determine if the records included duplicates, such as a single person staying multiple times.
It was also unclear what hackers could do with the credit card information. Though it was stored in encrypted form, it was possible that hackers also obtained the two components needed to descramble the numbers, the company said.
The crisis emerged as one of the largest data breaches on record. By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
Security analysts were alarmed to learn that the breach began in 2014. While such failures often span months, four years is extreme, said Yonatan Striem-Amit, chief technology officer of Cybereason.
The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include WHotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Meridien and
Four Points. Starwood-branded timeshare properties were also included.
None of the Marriott-branded chains were threatened.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also included might be dates of birth, gender, reservation dates, arrival and departure times, and Starwood Preferred Guest account information.
“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said.
Marriott set up a website and call center for customers who believe they are at risk.
The stolen information could be used by criminals to create fraudulent bank accounts.
It isn’t common for passport numbers to be part of a hack, but it is not unheard of. Hong Kong-based airline Cathay Pacific Airways said in October that 9.4 million passengers’ information had been breached, including passport numbers. Passport numbers are often requested by hotels outside the United States because U.S. driver’s licenses are not accepted there as identification.
And while the credit card industry can cancel accounts and issue new cards within days, it is a much more difficult process, often steeped in government bureaucracy, to get a new passport. But one factor about passports is that they are often required to be seen in person, said Ryan Wilk of NuData Security. “It’s a highly secure document with a lot of security features,” he said.
Email notifications for those who may have been affected begin rolling out Friday.
Marriott, based in Bethesda, Md., said in a regulatory filing that it was premature to estimate what financial impact the breach will have on the company. It noted that it does have cyber insurance.
Elected officials were quick to call for action. Maryland Attorney General Brian Frosh said Friday that he is launching an investigation into the security breach. Calling it “one of the largest and most alarming we’ve seen,” Frosh said his office would look into what caused the breach and how it would affect consumers.
“We will also be working with the company to make sure all customers who may have been impacted are notified and provided the resources to protect their personal information,” Frosh said.
Frosh, a Democrat, said his office will monitor Marriott’s response to make sure consumers are protected.
The state attorney general’s office urged consumers who may have been affected to protect themselves, including checking their credit scores at major credit reporting agencies and putting a freeze on their files. The office said free reports from the three credit agencies — Equifax, Experian, and TransUnion — can be obtained at www.annualcreditreport.com.