By Aisha Al-Muslim, Dustin Volz and Kimberly Chin
This article is being republished as part of our daily
reproduction of WSJ.com articles that also appeared in the U.S.
print edition of The Wall Street Journal (December 1, 2018).
Marriott International Inc. on Friday disclosed one of the
biggest data breaches in history, a hack in the reservation
database for its Starwood properties that may have exposed the
personal information of up to 500 million guests.
News of the attack -- rivaled only by the theft of information
in 2013 and 2014 from internet company Yahoo -- roiled customers of
the world's largest hotel company and lowered its stock price.
In addition to the size of the Marriott exposure, security
analysts say the range of customer data potentially compromised --
such as passport numbers, travel details and payment-card data --
make the breach even more sensitive. Numerous regulators in the
U.S. and abroad said they are monitoring the situation.
"We fell short of what our guests deserve and what we expect of
ourselves. We are doing everything we can to support our guests,
and using lessons learned to be better moving forward," said
Marriott Chief Executive Arne Sorenson, who led the company's $13.6
billion acquisition of Starwood Hotels & Resorts Worldwide in
2016.
Marriott, which has more than 6,700 properties world-wide under
30 hotel brands, declined to make company executives available for
interviews Friday.
The breach affected only Starwood hotel properties, said
Marriott, which had previously hit snags integrating that
business.
Starwood brands account for about a third of the company's total
collection. They include Sheraton, W Hotels, Westin, Le Méridien,
Four Points by Sheraton, Aloft, St. Regis, Element, The Luxury
Collection, Tribute Portfolio, and Design Hotels.
Marriott, whose other brands include the Ritz-Carlton and
Renaissance, has been unifying its reservation system, and by
year-end the Starwood system will no longer exist, a company
spokeswoman said.
Bethesda, Md.-based Marriott said an internal security tool
alerted it to a potential breach on Sept. 8. After an
investigation, the company found that the Starwood guest database
may have been compromised since 2014. The database contained
information for guests who made reservations on or before Sept. 10
at Starwood hotels globally.
Marriott warned that for roughly two-thirds -- or 327 million --
of the guests potentially affected, an unauthorized party may have
gained access to names, passport numbers and travel details. The
company said that in some cases payment-card numbers are typically
encrypted, though it couldn't rule out that card information was
stolen.
The company found the hacker had copied the information and
encrypted it for extraction before attempting to steal it, though
it wasn't until Nov. 19 that Marriott was able to determine what
information may have been accessed.
Marriott said it has been working with law enforcement and
regulatory authorities regarding the breach.
A Federal Bureau of Investigation spokeswoman said the agency is
tracking the situation and by late Friday attorneys general in
several states, including New York, Illinois and Massachusetts,
said they had opened investigations.
Marriott will face scrutiny from regulators, particularly in
Europe where the European Union's General Data Protection
Regulation privacy law took effect in May, said Travis LeBlanc, a
partner with Boies Schiller Flexner LLP. Although the Starwood
breach predates GDPR, Mr. LeBlanc said because the unauthorized
activity continued after the law went into effect, the incident
would likely be subject to it.
Britain's Information Commissioner's Office, which can fine
companies for failing to protect customers' personal data, also is
investigating. This year, the office fined major companies
including Facebook Inc. and Uber Technologies Inc. for mishandling
data.
Shares of Marriott fell 5.6% Friday and are down more than 9%
over the past 12 months.
The Marriott hack joins a list of breaches to hit the
hospitality industry in recent years. Security analysts say the
industry is a ripe target for criminal actors because of the wealth
of financial and other information flowing through payment and
reservation systems. It also is a highly fragmented business, in
which large companies such as Marriott and Hilton Worldwide
Holdings Inc. largely license their brands to property owners who
manage the hotels.
In 2015, Starwood said hackers had stolen payment-card
information during a data breach that lasted nearly eight months at
54 locations. Hilton, InterContinental Hotels Group and the Trump
Hotel Collection also have reported data breaches in recent
years.
Based on the number of individuals potentially affected, only
Yahoo's breach in 2013 -- impacting three billion people, or nearly
the entirety of Yahoo's user base -- may be bigger, security
analysts said. The hack of Yahoo in 2014 involved roughly 500
million people.
Hackers often root through computer networks for years without
detection. That can make investigating a breach more difficult, as
companies often don't retain the full history of systems and
network-traffic logs, said Blake Darche, co-founder and chief
security officer at the cybersecurity company Area 1 Security.
The size and duration of the Marriott hack also could indicate
involvement of a foreign government, but former U.S. intelligence
officials cautioned it was too soon to make any conclusions.
The passport information----a data set that is least commonly
compromised in commercial breaches----could be especially valuable
to spy agencies looking to compile detailed dossiers on
international business travelers and government officials.
"There is a risk that these passport numbers can be paired with
other useful identifiers," such as social security numbers, home
addresses and email password-security answers, said David
Weinstein, vice president of threat research at security firm
Claroty and a former official at U.S. Cyber Command. Mr. Weinstein
said he wasn't aware of any previous theft of such a large number
of passport numbers.
Marriott said it would begin Friday to notify affected guests
whose email addresses were in the Starwood database. It has set up
a website and call center to answer questions about the breach. The
company is also providing guests free enrollment for a year in
WebWatcher, a service that monitors internet sites where personal
information is shared.
"We are devoting the resources necessary to phase out Starwood
systems and accelerate the ongoing security enhancements to our
network," Mr. Sorenson said.
The data breach adds to problems Marriott has encountered in its
integration of Starwood. Travelers have reported problems with
hotel stays being credited to loyalty accounts and have complained
about customer service not helping when issues were identified.
Marriott merged Starwood's loyalty program with its own Marriott
Rewards in mid-August. The program now counts more than 120 million
members.
Kaitlyn Seredoka, who has been a Starwood rewards member for two
years, said she would likely try to cancel her account. The
31-year-old Oshawa, Ontario, resident said she hadn't been directly
contacted about her information being compromised but planned to
reach out to the call center after work Friday.
"I'm upset," said Ms. Seredoka, a catering-company manager who
says she books stays with Starwood about twice a year. "I give my
information assuming it's going to be kept confidential. I don't
even know what info they have aside from my cellphone number."
Charles Chan Massey and his husband have been Marriott and
Starwood rewards members for more than 15 years and use the hotels
frequently for personal and professional trips. Mr. Massey, a
corporate meeting and event planner, said neither has been notified
directly of the breach, but they have no intention of canceling
their memberships.
"It's annoying but the potential for being hacked has become an
unfortunate part of 21st century life," said the 54-year-old Los
Angeles resident.
The brand and reputational damage Marriott could face from the
breach also places a spotlight on the company's examination of
Starwood before the takeover deal, said Jeff Pollard, an analyst
for Forrester Research Inc.
"With all the M&A occurring, it highlights the importance of
robust cybersecurity due diligence during the acquisition process,"
Mr. Pollard said.
In a Friday regulatory filing, Marriott said that it couldn't
yet estimate the financial impact of the data breach. The company,
which carries cyber insurance, said it is working with its
insurance carriers to assess coverage and it will disclose costs
later.
"The company does not believe this incident will impact its
long-term financial health," Marriott said in the filing.
Marriott earlier this month trimmed its full-year forecast on a
key revenue metric because of weaker demand in North America, its
biggest market.
--Robert McMillan, Anne Steele and Stu Woo contributed to this
article.
Corrections & Amplifications An earlier version of this
article incorrectly stated an internal security tool alerted
Marriott of a potential breach to its U.S. database on Sept.
18.
Write to Aisha Al-Muslim at aisha.al-muslim@wsj.com, Dustin Volz
at dustin.volz@wsj.com and Kimberly Chin at
kimberly.chin@wsj.com
(END) Dow Jones Newswires
December 01, 2018 02:48 ET (07:48 GMT)
Copyright (c) 2018 Dow Jones & Company, Inc.
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Aug 2024 to Sep 2024
Altaba (NASDAQ:AABA)
Historical Stock Chart
From Sep 2023 to Sep 2024