This morning, global hospitality enterprise Marriott International Inc. publicly disclosed it suffered a data breach that may rank as one of the largest cybersecurity failures in history.
The Marriott data breach is being still under investigation by the company’s security team, but it may have affected as many as 500 million individuals. Of that number, approximately 327 million may have had their physical and email addresses, phone numbers, dates of birth, passport numbers, and possibly their credit card numbers and expiration dates stolen. Other guests may have only had their names and contact information stolen.
The breach centered on its Starwood property database, according to the company’s disclosure; Marriott acquired Starwood in 2016 for $13 billion. Marriott’s security team first received a security alert in September, but found evidence of unauthorized access, data copying, and data encryption dating back to 2014.
Marriott is working with investigators, and said it has taken steps to close the vulnerabilities that allowed the breach to occur. The hotel giant has not said how much information was actually removed from their databases, and stated it has not yet identified the number of duplicate victims.
Affected individuals will receive an email from the company alerting them to the data breach and a year of digital security services from WebWatcher. Marriott has set up a dedicated website and call center.
Marriott CEO Arne Sorenson said in a statement: “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Ted Rossman of CreditCards.com said in a statement to the AP: “The names, addresses, passport numbers and other sensitive personal information that was exposed is of greater concern than the payment info, which was encrypted. People should be concerned that criminals could use this info to open fraudulent accounts in their names.”
Marriott is already suffering the damaging market effects of a data breach: its shares fell nearly 7% since the announcement. New York Attorney General Barbara Underwood has opened an investigation into the breach. It is not yet clear if Marriott will run afoul of GDPR compliance, but it may be a distinct possibility given its global footprint. It is also not yet which regulators were informed of the breach before the public disclosure.
Marriott is the world’s largest hotel chain, managing over 6,000 properties globally. Its data breach is only behind the Yahoo data breach of 2013 in terms of number of victims.
Latest posts by Ben Canner (see all)
- Cyber Criminals Cost $4.7 Million in Annual Losses - July 19, 2019
- The 10 Coolest SIEM CEOs of 2019 (You Should Know) - July 17, 2019
- Why Network Packet Captures Should Matter to CIOs and CISOs - July 15, 2019