About the Marriott Starwood Data Breach of 500 Million Guests Announced Today

The Marriott hotel chain announced today that their Starwood property has suffered a massive data breach of as many as 500 million guest records. Note that even though the breach was discovered days earlier, they are announcing it on a Friday morning; Friday is known to be the day to announce things if you want them to get the least amount of attention.

This announcement comes just two days after the the announcement of the post office data breach. Earlier this year both Walgreens and Saks 5th Avenue announced data breaches. But at 500 million (that’s a half billion, folks!) data records exposed, the Marriott Starwood data breach is by far the most massive breach of the scope of this sort of data to date. (Yahoo had a data breach of up to 3billion user records in 2016, but is thought to have been limited to usernames, passwords, and dates of birth.)

If the fact that the Marriott data breach was discovered last week, but not announced until now annoys you, then the fact that they had been alerted to an issue in September will probably make you mad, and the fact that it had actually going on since 2014 should make you livid.

According to a statement released by Marriott today, “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

But wait, there’s more. Because, while for most of the customers whose data was exposed (at 500million we have to imagine that means all of Starwood’s customers) the exposed data was limited (and we use the term loosely) to “some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences” (uh, that’s a lot), many have also had their credit card details exposed.

Says Marriott, “the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.” {Emphasis ours}

Said Marriott CEO Arne Sorenson, “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

According to Marriot, if you have stayed at a Starwood property in the 5 years leading up to September of this year, your data is has been exposed (and quite likely already packaged for sale on the darkweb).

Marriott Starwood has engaged cyber risk mitigation firm Kroll to assist with this, and info.starwoodhotels.com forwards to answers.kroll.com where you can get the latest information.

45
Get notified of new Internet Patrol articles!
Summary
About the Marriott Starwood Data Breach of 500 Million Guests Announced Today
Article Name
About the Marriott Starwood Data Breach of 500 Million Guests Announced Today
Description
The Marriott hotel chain announced today that their Starwood property has suffered a massive data breach of as many as 500 million guest records. Note that even though the breach was discovered days earlier, they are announcing it on a Friday morning; Friday is known to be the day to announce things if you want them to get the least amount of attention.

Leave a Reply

Your email address will not be published. Required fields are marked *