Marriott’s Starwood hotels data breach

Marriott Hotels issued a statement that a breach at its subsidiary Starwood Hotels reservation system exposed personal data on nearly 500 million customers. 

An excerpt from the press release on Friday: 

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”

Marriott said the stolen data includes information on up to 500 million customers who made a reservation at a Starwood property. What is also notable is the unauthorized access goes back nearly 4 years. 

Of the records breached, approximately 327 million of these guests’ stolen data includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. 

Marriott also said the beached information also includes payment card numbers and expiration dates, but confirmed the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). However, the company could not confirm whether the data could be decrypted.