Our personal data has become more vulnerable than ever in our technology driven world, especially for those who find themselves traveling for work.
Chances are if you’re in the mortgage business you’ve stayed at a Marriott hotel during a conference or over the course of your business travel. That’s why it should alarm you the company has reported a data breach that could have affected 500 million guests. Yes, that’s right. 500 million.
Marriott revealed on Friday that data for its Starwood properties was illegally accessed by an unauthorized party. The reservation database contained guest information dating to on or before that date of Sept. 10, 2018.
According to information from the company, for approximately 327 million guests, personal information including names, mailing addresses, phone numbers, email addresses, passport numbers, flight details, Starwood account information and credit card numbers were compromised.
Marriott said that for some people, the compromised information includes credit card numbers and credit card expiration dates, but Marriott notes that the card numbers were encrypted using Advanced Encryption Standard encryption.
According to Marriott, there are two components needed to decrypt the credit card numbers, but Marriott cautions that at this point, Marriott "has not been able to rule out the possibility that both were taken."
The Starwood properties include W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels.
Marriott got wind of the breach after receiving an alert from an “internal security tool” indicating there had been an attempt to access Starwood's guest reservation database.
After investigating the breach, it was determined that “there had been unauthorized access to the Starwood network since 2014.” But here’s the biggest bombshell, the unidentified party had copied and encrypted information, even taking steps to remove it.
On November 19, Marriott was able to decrypt the information, determining that the contents were from Starwood’s database. However, it is still working to identify duplicate information in the database.
“We deeply regret this incident happened,” Marriott President and Chief Executive Officer Arne Sorenson said. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Marriott has reported this incident to law enforcement and has notified regulatory authorities.
“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center,” Sorenson said. “We will also continue to support the efforts of law enforcement and to work with leading security experts to improve.”
Sorenson also said the company is devoting resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to its network.
Here are details on what the company is offering for the affected consumers:
Marriott is providing guests the opportunity to enroll in WebWatcher free of charge for one year. WebWatcher monitors internet sites where personal information is shared and generates an alert to the consumer if evidence of the consumer’s personal information is found. Due to regulatory and other reasons, WebWatcher or similar products are not available in all countries. Guests from the United States who activate WebWatcher will also be provided fraud consultation services and reimbursement coverage for free
To find out more about Marriott's initiatives, click here.
