Hackers stole sensitive information during four-year intrusion

Marriott has revealed that a massive data breach potentially compromised the details of 500 million guests at its Starwood hotels.

The chain admitted that hackers had access to a database containing the reservation details of 500 million people in a statement released today.

Marriott said that at least 327 million people had “some combination” of data stolen including names, addresses, phone numbers, and email addresses.

Passport numbers, birth dates, and account information were also taken over a four-year period.

Stored credit card information was already encrypted by Marriott – though the company didn’t rule out that hackers could have stolen the decryption keys.

The incident began at an unspecified date in 2014 and was thwarted when an internal security tool alerted staff to problems on September 8, 2018.

Arne Sorenson, president and CEO of Marriott, said: “We deeply regret this incident happened.

“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

The breach occurred on Starwood systems, rather than within a separate system used by Marriott-branded hotels.

Back in 2015, before being acquired by Marriott, Starwood disclosed a data breach when card-skimming malware was found on its point-of-sale machines.

According to Starwood, the malware had been present on its systems since 2014.

The announcement was made days before the acquisition was made public, though the incident did not affect the guest reservation database, as in the most recent case.

Security researcher Jake Williams said on Twitter: “Given the timeline of the breach, it’s clear that either Marriott bought the system in a breached condition or they were given a copy of the data (perhaps for due diligence) and failed to secure it themselves.”

Starwood hotel brands include W Hotels, Sheraton, Four Points by Sheraton, and Le Meridien.

Marriott has set up a website for former guests, and is offering free monitoring software for a year.

It will also email all guests whose information is present in the affected database.

Marriott is the latest in a long line of hotel chains to have suffered a data breach in recent years.

Earlier this month, Radisson reported that loyalty card holders may have had their details stolen in a breach.

In August, details on ‘millions’ of guests at Chinese chain Huazhu Hotels were found for sale on the dark web.

And in November 2017, Hilton Hotels was fined $700,000 over two credit card details breaches in 2014 and 2015.