Hackers stole information on up to 500 million guests of Marriott International’s Starwood properties in a breach of the Starwood guest reservation database dating back to 2014, the company announced on Friday.
Attackers gained access to a cache of personal information that includes names, dates of birth, passport numbers, mailing addresses, phone numbers, and gender. It is also possible that credit card information may have been taken.
Anyone who made a reservation at a Starwood property on or before Sept. 10, 2018, may have been affected, the company said.
Marriott first learned of the breach in September but was not immediately able to determine what information was obtained because it had been encrypted. The contents were decrypted in late November, when the company says it discovered they had come from the Starwood guest reservation database. According to the statement, the intruder copied, encrypted, and took steps toward removing the information.
Taking the extra step to encrypt the stolen information could indicate a more advanced attacker who was aware that Starwood would have some security measures in place and took steps to avoid it.
“This is not an average attacker, this is a smart attacker,” said security researcher Arun Vishwanath. “It’s a telltale signal there. The bad guys have figured out that any of these corporate networks have a tracking system to see what’s going on.”
For 327 million guests the stolen information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences, and possibly credit card information. For the remaining guests, the stolen information appeared to be more limited.
The stolen payment information was encrypted, but the company has said it cannot rule out the possibility that hackers also took the information needed to decrypt the credit card numbers and expiration dates.
The attack is notable because of the range of personal information that was stolen, not just the number of people affected. A 2016 attack on Yahoo affecting 3 billion users was the largest breach that has been reported, but the Marriott attack affects personal information that cannot simply be changed.
“This is actually far more significant than Yahoo,” said Vishwanath. “Yahoo had numbers, but not data depth.”
“Yeah you can get a new credit card, but some of these things cannot be taken back,” he said.
This is the second intrusion affecting Starwood properties since 2015, with the first coming just days after an announcement that the company would be acquired by Marriott. The 2015 attack affected credit and debit card data at point-of-sale registers.
The acquisition of Starwood was completed in 2016, making Marriott the world’s largest hotel chain, with hotels in more than 100 countries.
Starwood properties include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels that participate in the Starwood Preferred Guest (SPG) program. Their branded timeshare properties are also included in the breach.
Marriott operates a separate network for other hotels, which were not affected.
The company said it had reported the incident to law enforcement and regulatory authorities, and is providing monitoring and fraud consultation services to customers in the US, Canada, and the UK.
At least one investigation has already been opened into the incident. New York Attorney General Barbara Underwood announced that her office would be investigating the attack, saying on Twitter “New Yorkers deserve to know that their personal information will be protected.”
There have also been multiple calls from Congress for data privacy legislation in the wake of the attack. Senators Mark Warner and Ed Markey both called for greater efforts to protect Americans’ digital privacy and security.
“Breaches like this can lead to identity theft and crippling financial fraud,” said Markey. “They are a black cloud hanging over the United States’ bright economic horizon.”
Marriott International may also face fines under the European Union’s Global Data Protection Regulation, but the company said in an SEC filing that it does not expect the breach to affect its long term financial health.
It’s also possible that the scope of the breach may prove larger than the initial estimate of 500 million people affected.
“If the history of previous reporting tells us anything,” Vishwanath added, “By the end of next week we may find out that this breach is twice as big.”