Mar­riott hack­ing ex­poses data of up to 500 mil­lion guests

The News & Observer (Sunday) - - News - BY AMIE TSANG AND ADAM SATARIANO

The Mar­riott In­ter­na­tional ho­tel chain said Fri­day that the data­base of its Star­wood reser­va­tion sys­tem had been hacked and that the per­sonal de­tails of up to 500 mil­lion guests go­ing as far back as 2014 had been com­pro­mised.

The ho­tel group, which runs more than 6,700 prop­er­ties around the world, was in­formed in Septem­ber about an at­tempt to ac­cess the data­base, and an in­ves­ti­ga­tion this month re­vealed that unau­tho­rized ac­cess had been made on or be­fore Sept. 10, Mar­riott said in a state­ment.

The ho­tel chain said per­sonal de­tails in­clud­ing names, ad­dresses, dates of birth, pass­port num­bers, email ad­dresses and phone num­bers for hun­dreds of mil­lions of guests may have been com­pro­mised.

The in­ves­ti­ga­tion found that “there had been unau­tho­rized ac­cess to the Star­wood net­work since 2014,” and an “unau­tho­rized party had copied and en­crypted in­for­ma­tion, and took steps to­ward re­mov­ing it,” the state­ment said.

Hack­ers also ob­tained en­crypted credit-card in­for­ma­tion for some cus­tomers, but it was un­clear if the hack­ers would be able to use those pay­ment de­tails.

Mar­riott said it wasn’t sure how many pass­port num­bers and dates of birth were stolen but that it was a “sub­set” of the larger num­ber of af­fected con­sumers, since this in­for­ma­tion is not a part of ev­ery reser­va­tion.

The hack af­fects cus­tomers who made reser­va­tions for Star­wood ho­tel brands from 2014 to Septem­ber of this year. The prop­er­ties in­clude Sher­a­ton, Westin, W Ho­tels, St. Regis, Four Points, Aloft, Meri­dien, Trib­ute, De­sign Ho­tels, El­e­ments and the Lux­ury Col­lec­tion.

Mar­riott ho­tels, in­clud­ing Res­i­dence Inn and the Ritz Carl­ton, op­er­ate on a sep­a­rate reser­va­tion sys­tem. The com­pany has plans to merge that sys­tem with Star­wood’s.

Richard Gold, head of se­cu­rity en­gi­neer­ing at the cy­ber­se­cu­rity firm Dig­i­tal Shad­ows, said the breach ranks among the largest of con­sumer data, on par with breaches at Ya­hoo and the credit-scor­ing gi­ant Equifax.

“This is an in­cred­i­bly big num­ber,” Gold said.

He said ho­tels are an at­trac­tive tar­get for hack­ers be­cause they hold a lot of sen­si­tive in­for­ma­tion, in­clud­ing credit card and pass­port de­tails, but of­ten don’t have se­cu­rity stan­dards as tough as those of more reg­u­lated in­dus­tries, like bank­ing.

“We deeply re­gret this in­ci­dent,” Arne Soren­son, Mar­riott’s pres­i­dent and chief ex­ec­u­tive of­fi­cer, said in a state­ment. “We fell short of what our guests de­serve and what we ex­pect of our­selves. We are do­ing ev­ery­thing we can to sup­port our guests, and us­ing lessons learned to be bet­ter mov­ing for­ward.”

In­ves­ti­ga­tions into the Mar­riott leak were an­nounced by Eu­ro­pean reg­u­la­tors and the New York state at­tor­ney gen­eral, Bar­bara D. Un­der­wood.

“It’s as­ton­ish­ing how long it took them to dis­cover they were breached,” said Gus Ho­sein, ex­ec­u­tive di­rec­tor of Pri­vacy In­ter­na­tional, a group that sup­ports strong data pro­tec­tion laws. “For four years, data was be­ing pil­fered out of the com­pany, and they didn’t no­tice. They can say all they want that they take se­cu­rity se­ri­ously, but they don’t if you can be hacked over a four-year pe­riod with­out notic­ing.”

The breach is far larger than the one last year at Equifax, a credit bureau, from which at­tack­ers stole in­for­ma­tion on 148 mil­lion peo­ple, in­clud­ing names, So­cial Se­cu­rity num­bers, birth dates and ad­dresses. In that case, the thieves also grabbed scans of around 3,200 pass­ports from peo­ple who had up­loaded them to an Equifax cus­tomer ser­vice web­site.

Equifax has spent more than $400 mil­lion on re­cov­ery from its breach, ac­cord­ing to the com­pany’s reg­u­la­tory fil­ings.

Mar­riott said it had set up a ded­i­cated web­site and call cen­ter to deal with ques­tions guests might have about their per­sonal in­for­ma­tion and had no­ti­fied reg­u­la­tory and le­gal au­thor­i­ties. Mar­riott also said it would try to reach af­fected cus­tomers Fri­day to in­form them of the se­cu­rity breach.

The com­pany is of­fer­ing one year of free en­roll­ment in Web Watcher to peo­ple who live in the United States, Canada and Bri­tain.

Mar­riott de­scribed it as a ser­vice that keeps an on eye on in­ter­net sites where thieves swap and sell per­sonal in­for­ma­tion and then alerts peo­ple if any­one is sell­ing their in­for­ma­tion.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.