Marriott International has revealed that it's investigating a hack of the guest reservation database at its Starwood unit that may be one of the biggest such breaches in corporate history. The attack is troubling not just because of its sheer size, but also the level of detail potentially stolen by the attackers. The hack affects some 500 million guests—and for about 327 million of them, the data included passport numbers, emails and mailing addresses, Marriott said. Some credit card details may also have been taken.
The Marriott hack may rank only below Yahoo as one of the biggest of personal data, when 3 billion users were exposed to a 2013 security breach.
"We know there's going to be a cost, but how big will it be, I don't know, I don't think Marriott knows," says Michael Bellisario, an analyst at Robert W. Baird & Co. "Marriott's biggest asset is the network effect of customers in the loyalty program. The big question is does it impact the Marriott brand, and the customer desire to be rewards program members? It's still too early to tell."
Regulators and consumers have been stepping up their action against companies that have suffered security breaches as such attacks have increasingly become more severe. Target Corp. last year agreed to pay $18.5 million to settle investigations by dozens of states over a 2013 hack of its database in which the personal information of millions of customers was stolen, while Equifax is facing billion-dollar lawsuits and a regulatory investigation.
A Marriott statement indicates the hacking was going on years before the company acquired Starwood in a deal valued at about $13.6 billion that closed in September 2016. Marriott's database contained guest information relating to reservations at Starwood properties on or before Sept. 10, 2018. For some, it also included payment card details, said Marriott, which didn't identify who the perpetrators might be.
Athough Marriott said the details such as credit card numbers were encrypted, it has not been able to rule out the possibility that enough details were taken in order to decrypt this information.
The company has reported the incident to law enforcement and continues to support their investigation, and has also begun notifying regulatory authorities. Marriott informed the U.K. data protection regulator about the breach, the Information Commissioner's Office said Friday. The regulator asked individuals concerned about how their data was handled to report their worries.
In its quarterly filing dated Nov. 6, Marriott added a warning about security breaches.
"We have experienced cyber-attacks, attempts to disrupt access to our systems and data, and attempts to affect the integrity of our data, and the frequency and sophistication of such efforts could continue to increase," the firm said, without providing details on specific attacks.
Marriott paid $13.6 billion to acquire Starwood in September 2016 in a deal that created a hospitality industry behemoth that has 1.3 million rooms and more than 110 million loyalty program members. Starwood's legacy brands include Sheraton, W Hotels, Westin, Aloft and St. Regis.