Marriott Starwood Database Breached since 2014

Up to 500 million accounts have been hacked at the Marriott hotel chain’s Starwood guest reservation database.  Approximately 327 million guest information was released including some combination of names, mailing address, phone number, passport number, date of birth and other sensitive information.  Marriott was also unable to verify if both of their Advanced Encryption Standard encryption methods for securing payment card numbers were taken.    

On September 8th, the Marriott received an alert regarding an attempt to access the reservation database.  According to a company statement, the unauthorized access to the database started in 2014. “The company recently discovered that an unauthorized party had copied and encrypted information, and took steps toward removing it,” stated Marriott.  “On November 19th, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.”

Marriott International purchased Starwood Hotels & Resorts Worldwide for $13 billion in 2016.  Starwood brands include big-name companies such as Sheraton Hotels & Resorts, The Luxury Collection, and Le Meridien Hotels & Resorts.  The company filed an 8K form with the Securities and Exchange Commission which signifies a significant unexpected event.  New York Attorney General Barbara Underwood and Maryland Attorney General Brian Frosh both stated on November 30th that they have opened investigations into the breach.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president, and CEO. “We fell short of what our guests deserve and what we expect of ourselves.”

In its SEC filing, Marriott stated the company carries insurance, including cyber insurance, and is working with its carriers to assess coverage.