Security Alert: 500 Million Marriott Guest Records Stolen in Starwood Data Breach
The world's biggest hotel chain Marriott International today disclosed that unknown hackers compromised guest reservation database its subsidiary Starwood hotels and stole the personal data of about 500 million guests. Marriott has setup a website with information about the breach.
Starwood Hotels and Resorts Worldwide was acquired by Marriott International for $13 billion in 2016. The brand includes St. Regis, Sheraton Hotels & Resorts, W Hotels, Westin Hotels & Resorts, Aloft Hotels, Tribute Portfolio, Element Hotels, Le Méridien Hotels & Resorts, The Luxury Collection, Four Points by Sheraton and Design Hotels.
The data breach is considered to be one of the largest in history, behind Yahoo's 2013 data breach in which nearly 3 billion user account records were stolen.
The breach of Starwood properties apparently has been happening since 2014 after an "unauthorized party" managed to gain unauthorized access to the Starwood's guest reservation database, and had copied and encrypted the information. Marriott discovered the breach in September of this year after receiving an alert from one of its internal security tools.
On November 19, the investigation into the incident revealed that there was unauthorized access to the database, containing "guest information relating to reservations at Starwood properties on or before September 10, 2018."
The stolen hotel database contains sensitive personal information of approximately 500 million guests, including their names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, arrival and departure information, reservation date, and communication preferences. What's worrisome? For some users, stolen data also includes payment card numbers and payment card expiration dates.
But, according to Marriott, "the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128)." Attackers need two components to decrypt the payment card numbers, and "at this point, Marriott has not been able to rule out the possibility that both were taken."
The hotel company has begun notifying regulatory authorities and also informed law enforcement of the incident and continues to support their investigation.
How You Can Protect Yourself and Your Organization
Visit the Marriott/Starwood Data Breach Information Website for More Information. Marriott has taken measures to investigate and address a data security incident involving the Starwood guest reservation database. This site has information concerning the incident, answers to guests’ questions and steps you can take.
Change Your Marriott/Starwood and Other Personal Website Passwords. Changing your Marriott website password is a no-brainer, but since many of use the same passwords for various websites, this breach could provide hackers with access to other sites. ALWAYS use unique passwords for each website.
Monitor Your Accounts for Suspicious Activity. Keep an eye on your Starwood Preferred Guest account as well as bank, retirement, and credit card accounts, looking for suspicious activity or unauthorized transactions.
Use Virtual Credit Cards for Online Transactions. A virtual card functions like a disposable representative of your real card. If something happens to a virtual card, you can just delete it and get a new one. The two main purposes for using virtual account numbers (VANs) are security and convenience. Instead of providing merchants with your actual credit card details, you can just give the virtual card number. Then, if there’s any security issue with the website or company, you can simply cancel that virtual card. You don’t need to worry about thieves making all sorts of fraudulent transactions, because they would just have that one limited number. And you won’t need to report your card information as stolen and get a new card mailed.
Don't Forget Your Corporate Accounts If your organization has staff or executives that travel, their accounts and associated corporate credit cards could be breached.