On Friday, Marriott International announced a system breach that has affected approximately 500 million customers, with stolen information including names, credit card numbers, mailing addresses, email addresses, and passport numbers. The breach is one of the largest in history, after recent Yahoo breaches that compromised the accounts of nearly three billion customers.
The breach appears to have originated at Starwood hotels in 2014—two years before Marriott acquired the hotel chain, according to The Washington Post. "When Marriott acquired Starwood in 2016, the existing breach went undetected during the merger and for years afterward," the Post noted.
Marriott says it confirmed unauthorized access to the Starwood guest reservation database on November 19, which contained guest information dating back to September 10, 2018. The hackers had allegedly copied encrypted information from the Starwood reservation database. When Marriott was able to decrypt the information, the company found that of the approximately 500 million guests that had their name and contact information stolen, a subset of 327 million had "some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences."
To make matters worse, Marriott says that credit card numbers were likely stolen as well. Although the numbers were encrypted using the AES-128 standard, Marriott says it cannot rule out that the hackers also stole the keys to decrypt the credit card number information.
“We deeply regret this incident happened,” Arne Sorenson, Marriotts president and chief executive officer, said in a statement. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Starwood brand hotels that may have been affected include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, and more.
The Post noted that it's unclear whether the hackers were "criminals collecting data for identity theft or nation-state spies collecting information on travelers worldwide, including possibly diplomats, business people, or intelligence officials as they moved around the globe." Proprietary Wi-Fi at these hotels could be a vector of attack. In 2015, before Marriott had acquired Starwood Hotels, the company briefly tried to block guests' personal hotspots at some properties in order to force their guests to pay for the Marriott proprietary Wi-Fi network. The Federal Communications Commission (FCC) ordered Marriott to stop that practice.
In 2016, 20 locations including Starwood and Marriott hotels suffered a separate breach costing tens of thousands of customers their credit card numbers.