By Kimberly Chin and Aisha Al-Muslim
Marriott International Inc., the world's largest hotel company,
said it identified a data breach in its Starwood reservation system
that may have exposed the personal information of up to 500 million
guests.
For roughly two-thirds of the guests who were possibly affected,
an unauthorized party may have had access to names, addresses,
phone numbers, email addresses, passport numbers and travel
details, Marriott said Friday. In some cases, the company said, the
information also included payment-card information. Marriott said
payment-card numbers are usually encrypted, though it could not
rule out that card information was stolen.
"We fell short of what our guests deserve and what we expect of
ourselves. We are doing everything we can to support our guests,
and using lessons learned to be better moving forward," Marriott
Chief Executive Arne Sorenson said in a news release.
The breach only impacted Starwood hotel brands. The Starwood
reservation system still exists, a Marriott spokeswoman said.
However, by the end of the year Marriott will have one reservation
system, she said.
Marriott said its internal security tool alerted it of a
potential breach to its U.S. database on Sept. 8. After an
investigation, the company found that the Starwood guest database
may have been compromised since 2014, which precedes Marriott's
acquisition of Starwood. The database contained information for
guests who made reservations on or before Sept. 10.
The company found the unauthorized party had copied and
encrypted information from the database, and had attempted to steal
it. However, it wasn't until Nov. 19 that Marriott was able to
decrypt the information to find out what the contents of the breach
were.
Starwood's brands include Sheraton, W Hotels, Westin, Le
Méridien, Four Points by Sheraton, Aloft, St. Regis, Element, The
Luxury Collection, Tribute Portfolio and Design Hotels.
Marriott said it has been working with law enforcement and
regulatory authorities regarding the breach.
A spokeswoman for Federal Bureau of Investigation said the FBI
is tracking the situation.
Hotel chains have been hit by a wave of data breaches in recent
years, often with hackers trying to steal customer credit- and
debit-card information. In 2015, Starwood said hackers had stolen
payment-card information during a data breach that lasted nearly
eight months at 54 locations. Hilton Worldwide Holdings Inc. and
Trump Hotels have also said hackers had stolen information.
The Marriott hack is one of the largest data breaches ever
disclosed, measured by the number of individuals potentially
affected. Only a 2013 breach of Yahoo that affected three billion
people, nearly the entirety of Yahoo's user base, may be bigger,
security experts said. Another hack of Yahoo that occurred in 2014
has an impact on roughly 500 million people.
Hackers often root through computer networks for years without
detection. Remaining hidden for so long can make investigating a
breach more difficult, as companies often don't retain their full
history of systems and network-traffic logs, said Blake Darche,
co-founder and chief security officer at the cybersecurity company
Area 1 Security.
The compromise of passport information could be the most
significant aspect of the Marriott breach, particularly if it was
carried out by a state-sponsored actor for intelligence purposes,
said Mr. Darche, a former official with National Security
Agency.
Passport numbers are often used to confirm a guest's identity at
check in, and they are coveted by criminals, said Avivah Litan, a
senior analyst with Gartner Inc.
"If you're signing up for a new loan, if you're renting a car in
a foreign country, if you're opening a bank account -- you always
have to present identity documents," Ms. Litan said. The passport
is "a standard identity document that's used globally for identity
verification," she said.
Marriott said it would begin on Friday notifying affected guests
whose email addresses were in the Starwood database. It has set up
a website and call center to answer questions about the breach. The
company is also providing guests with the chance to enroll in
WebWatcher, a service that monitors internet sites where personal
information is shared, for free for one year.
"We are devoting the resources necessary to phase out Starwood
systems and accelerate the ongoing security enhancements to our
network," Mr. Sorenson said.
Marriott completed the $13.6 billion acquisition of Starwood
Hotels & Resorts in 2016. Marriott has had problems since the
acquisition with integrating its technology systems with those from
Starwood. Travelers have reported problems with hotel stays being
credited to loyalty accounts and have complained about customer
service not helping when issued were identified.
In a Friday regulatory filing, Bethesda, Md.-based Marriott said
that it couldn't yet estimate the financial impact of the data
breach. The company, which carries cyber insurance, said it is
working with its insurance carriers to assess coverage and it will
disclose costs later.
"The company does not believe this incident will impact its
long-term financial health," Marriott said in the filing.
Shares in Marriott fell 3.6% to $117.50 in premarket
trading.
Marriott has more than 6,700 properties under 30 hotel brands,
including the Ritz-Carlton and Renaissance.
--Dustin Volz contributed to this article.
Write to Kimberly Chin at kimberly.chin@wsj.com and Aisha
Al-Muslim at aisha.al-muslim@wsj.com
(END) Dow Jones Newswires
November 30, 2018 11:04 ET (16:04 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Mar 2024 to Apr 2024
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Apr 2023 to Apr 2024