By Kimberly Chin and Aisha Al-Muslim
Marriott International Inc., the world's largest hotel company,
said it identified a data breach in its Starwood reservation system
that may have exposed personal information of up to 500 million
guests.
For roughly two-thirds of the guests who were possibly affected,
an unauthorized party may have had access to names, addresses,
phone numbers, email addresses, passport numbers, and travel
details, Marriott said Friday. In some cases, the company said, the
information also included payment-card information. Marriott said
payment-card numbers are usually encrypted, though it could not
rule out that card information was stolen.
"We fell short of what our guests deserve and what we expect of
ourselves. We are doing everything we can to support our guests,
and using lessons learned to be better moving forward," Marriott
Chief Executive Arne Sorenson said in a news release.
The breach only impacted Starwood hotel brands. The Starwood
reservation system still exists, a Marriott spokeswoman said.
However, by the end of the year Marriott will have one reservation
system, she said.
Marriott said its internal security tool alerted it of a
potential breach to its U.S. database on Sept. 8. After an
investigation, the company found that the Starwood guest database
may have been compromised since 2014, which precedes Marriott's
acquisition of Starwood. The database contained information for
guests who made reservations on or before Sept. 10.
The company found the unauthorized party had copied and
encrypted information from the database, and had attempted to steal
it. However, it wasn't until Nov. 19 that Marriott was able to
decrypt the information to find out what the contents of the breach
were.
Starwood's brands include Sheraton, W Hotels, Westin, Le
Méridien, Four Points by Sheraton, Aloft, St. Regis, Element, The
Luxury Collection, Tribute Portfolio, and Design Hotels.
Marriott said it has been working with law enforcement and
regulatory authorities regarding the breach.
Hotel chains have been hit by a wave of data breaches in recent
years, often with hackers trying to steal customer credit- and
debit-card information. In 2015, Starwood said hackers had stolen
payment-card information during a data breach that lasted nearly
eight months at 54 locations. Hilton Worldwide Holdings Inc. and
Trump Hotels have also said hackers had stolen information.
The Marriott hack is one of the largest data breaches ever
disclosed, measured by the number of individuals potentially
affected. Only a 2013 breach of Yahoo that affected three billion
people, nearly the entirety of of Yahoo's user base, may be bigger,
security experts said. Another hack of Yahoo that occurred in 2014
has an impact on roughly 500 million people.
Hackers often root through computer networks for years without
detection. Remaining hidden for so long -- Marriott said the
intrusion dated back to 2014 -- can make investigating a breach
more difficult, as companies often don't retain their full history
of systems and network-traffic logs, said Blake Darche, co-founder
and chief security officer at the cybersecurity company Area 1
Security.
The compromise of passport information could be the most
significant aspect of the Marriott breach, particularly if it was
carried out by a state-sponsored actor for intelligence purposes,
said Mr. Darche, a former official with National Security Agency.
"It's super useful for tracking people," he said.
The company said it would begin on Friday notifying affected
guests whose email addresses were in the Starwood database. It has
set up a website and call center to answer questions about the
breach. The company is also providing guests with the chance to
enroll in WebWatcher, a service that monitors internet sites where
personal information is shared, for free for one year.
"We are devoting the resources necessary to phase out Starwood
systems and accelerate the ongoing security enhancements to our
network," Mr. Sorenson said.
Marriott completed the $13.6 billion acquisition of Starwood
Hotels & Resorts in 2016. Marriott has had problems since the
acquisition with integrating its technology systems with those from
Starwood. Travelers have reported problems with hotel stays being
credited to loyalty accounts and have complained about customer
service not helping when issued were identified.
In a Friday regulatory filing, Bethesda, Md.-based Marriott said
that it couldn't yet estimate the financial impact of the data
breach. The company, which carries cyber insurance, said it is
working with its insurance carriers to assess coverage and it will
disclose costs later.
"The company does not believe this incident will impact its
long-term financial health," Marriott said in the filing.
Shares in Marriott fell 3.6% to $117.50 in premarket
trading.
Marriott has more than 6,700 properties under 30 hotel brands,
including the Ritz-Carlton and Renaissance.
--Dustin Volz contributed to this article.
Write to Kimberly Chin at kimberly.chin@wsj.com and Aisha
Al-Muslim at aisha.al-muslim@wsj.com
(END) Dow Jones Newswires
November 30, 2018 10:17 ET (15:17 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Apr 2024 to May 2024
Altaba (NASDAQ:AABA)
Historical Stock Chart
From May 2023 to May 2024