Marriott data breach exposes a possible 500 million guests

On 30 November 2018, Marriott International Incorporated (Marriott) reported one of the largest data breaches on record. In a news release, the hotel chain revealed that there was unauthorised access to its Starwood reservation database where approximately 500 million customers who had made a reservation with a Starwood property¹ between 2014 and 10 September 2018, may have had their personal data breached².  For 327 million of these guests, the information subject of the breach contains a combination of either their name, mailing and email address, passport numbers, birth dates, travel and reservation dates and credit card numbers³. 

After receiving a notification of an attempt to access the Starwood guest reservation database from an internal security tool on 8 September 2018, Marriott engaged a security expert to conduct an investigation⁴. During the investigation, Marriott was informed that the Starwood network had unauthorised access of its databases since 2014⁵. This is prior to Marriott entering negotiations to acquire Starwood in 2015 for $13.6 billion with settlement occurring in 2016⁶.  

On 19 November 2018, Marriott learned that the unauthorised party copied, encrypted and took steps to remove information from the Starwood system⁷. Marriott stated that even though their customer’s credit card information was encrypted in the Starwood database, they are unable to conclude that this information has not been the subject of unauthorised access⁸.  

Marriott’s President and Chief Executive Officer, Arne Sorenson, affirms that their organisation is committed to their guests to provide answers to questions regarding their personal information⁹. While Ms Sorenson admits to falling short of ‘what their guests deserve’ and their own expectations, this is the second major security breach that Starwood have reported since their cash register systems were compromised in 2015¹⁰.