Hackers have hit Marriott’s guest reservation system, potentially exposing the sensitive information of more than 500 million people—the second biggest corporate data breach in history—within its Starwood reservation database.
Marriott’s internal security tools first alerted the hotel company of an unauthorized attempt to access the reservation system this past September, the same month that an unprecedented ripple of hotel strikes lead by the labor group Unite Here kicked off across the US. During the investigation that followed, security experts traced the breach as far back as 2014—years before the widely publicized Marriott-Starwood merger. As the hack involves customers in the European Union and the United Kingdom, Marriott faces the additional conundrum of possible violation of the General Data Protection Regulation.
Of the 500 million guests potentially affected, the stolen information for approximately 327 million includes names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation dates and communication preferences, according to a statement released today by Marriott.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128),” Marriott said, adding that they haven’t been able to determine if the hackers were able to decrypt the credit card numbers. Information was limited to names and sometimes mailing addresses and email addresses for the remaining guests.
Marriott has already begun notifying regulatory authorities and affected guests, and a dedicated website and call center were also established to answer questions. The company is also offering free WebWatcher enrollment for one year, which monitors internet sites where your personal information is shared and generates an alert if any of your information is found.
If you think you may have been affected by the Marriott data breach, your best defense is to be vigilant and immediately change passwords on accounts with sensitive information, as well as monitor accounts for suspicious activity.