Marriott Starwood hack affects 500 million customers

Hotel giant Marriott has confirmed that its Starwood Hotels & Resorts guest reservation database has been hacked by an unauthorised party.

Affecting up to 500 million people, the vast hack has exposed a considerable amount of data including:

  • Names
  • Phone numbers
  • Passport numbers
  • Encrypted payment card numbers
  • Payment card expiration dates

While the payment card data was encrypted using Advanced Encryption Standard encryption (AES-128), Marriott has not yet been able to rule out the possibility that both components needed to decrypt the payment card numbers could have been taken.

In its statement, Marriott President and CEO Arne Sorenson said:

We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.

Marriott has reported that it became aware of the breach in September this year, when it was alerted by an internal security tool regarding an attempt to access the Starwood database in the US. However, during the course of an internal investigation, the chain learned “that there had been unauthorised access to the Starwood network since 2014.”

Marriott acquired the Starwood chain in 2016 for $13.6 billion and the chain’s hotel brands include W Hotels, Sheraton, Le Meridien and Four Points by Sheraton.

This breach could be one of the largest in history, and more facts about the incident and the steps being taken will come to light over the coming days.

Marriott has begun notifying customers and regulatory authorities and has set up a dedicated website and call centre to answer questions about the incident.