Records of 500 million customers of Marriott hotel group were compromised in data breach
Marriott International hotel chain has revealed that its Starwood division’s reservations database had been compromised by unauthorized third parties. According to an internal investigation by specialists in digital forensics, an attacker had gained access to the Starwood network since 2014.
Marriott International claims that it is notifying registered customers in the compromised database.
Starwood was absorbed by Marriott in the year 2016, consolidating it as the largest hotel chain in the world, with more than 5800 establishments worldwide. Starwood’s division includes brands such as W Hotels, Sheraton, Le Méridien and Four points by Sheraton. Marriott brand Hotels Use a separate reservation system on a different network than other brands on your property.
Marriott said his internal digital forensics team detected that a third party was trying to access the Starwood database. Continuing his research, the company discovered that “an unauthorized actor copied and encrypted the information”.
According to company estimates, the compromised database contains records of up to 500 million customers, of which about 320 million records included information such as customer name, address, phone numbers, email address, Passport number and account information.
In some cases, customer records also included encrypted information on payment cards, although the possibility that encryption keys have also been stolen is not yet dismissed.
“We deeply regret this incident. Marriott has already alerted to the authorities and will continue to collaborate in the investigation”, mentions a statement from the company.
The company has created a website to address the concerns of users worried about the status of their personal information. According to experts in digital forensics, the company will offer affected customers a year of free anti-fraud protection services.
On the other hand, the United Kingdom’s Information Commissioner Office (ICO) stated: “We received a data breach report from Marriott that involves its Starwood brand. If costumers have any doubts about the treatment that the company has given to their personal data, they can go to ICO”.
Although this is not the largest data breach known, it is among the worst. The attackers not only accessed and copied 500 million records, but remained on Starwood’s systems for almost three years. And, although the information on the payment cards was encrypted, digital forensics specialists from the International Institute of Cyber Security do not rule out that the encryption keys have also been stolen.
Even though Marriott’s main office is in the United States, the hotel group must comply with the EU’s General Data Protection Regulation (GDPR), as the company works with the personal information of citizens of the European Community. Therefore, although the incident is being investigated by the ICO in the United Kingdom, the company could be penalized according to the provisions of the GDPR.
In addition, this incident could cause the propagation of phishing or extortion campaigns through compromised information, so the problems for the hotel chain have just started. For its part, Marriott says it will not send any email notifications with attachments, and will not request any information from its customers in this way.