Marriott security breach exposed data of up to 500M guests
NEW YORK — Hackers stole information on as many as 500 million guests of the Marriott hotel empire over four years, obtaining credit card and passport numbers and other personal data, the company said Friday as it acknowledged one of the largest security breaches in history.
The full scope of the failure was not immediately clear. Marriott was trying to determine if the records included duplicates, such as a single person staying multiple times.
The affected hotel brands were operated by Starwood before it was acquired by Marriott in 2016. They include W Hotels, St. Regis, Sheraton, Westin, Element, Aloft, The Luxury Collection, Le Méridien and Four Points. Starwood-branded timeshare properties were also affected. None of the Marriott-branded chains were threatened.
The crisis quickly emerged as one of the biggest data breaches on record.
“On a scale of 1 to 10 and up, this is one of those No. 10 size breaches. There have only been a few of them of this scale and scope in the last decade,” said Chris Wysopal, chief technology officer of Veracode, a security company.
By comparison, last year’s Equifax hack affected more than 145 million people. A Target breach in 2013 affected more than 41 million payment card accounts and exposed contact information for more than 60 million customers.
Security analysts were especially alarmed to learn that the breach began in 2014. While such failures often span months, four years is extreme, said Yonatan Striem-Amit, chief technology officer of Cybereason.
It was unclear what hackers could do with the credit card information. Though it was stored in encrypted form, it was possible that hackers also obtained the two components needed to descramble the numbers, the company said.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and pass- port numbers. Also included might be dates of birth, gender, reservation dates, arrival and departure times and Starwood Preferred Guest account information.
“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a statement. “We are doing everything we can to support our guests and using lessons learned to be better moving forward.”
A man works on a new Marriott sign in front of the former Peabody Hotel in Little Rock, Ark. Marriott says the information of up to 500 million guests at its Starwood hotels has been compromised. It said Friday that there was a breach of its database in September, but also found out through an investigation that there has been unauthorized access to the Starwood network since 2014.