500 Milltion hotel customers across more than 11 hotel brands and 1,200 properties including W Hotels, St. Regis, Sheraton, Westin, have had their data stolen in one of the biggest data breaches on record.
For as many as two-thirds of those affected, the exposed data could include mailing addresses, phone numbers, email addresses and passport numbers. Also dates of birth, gender, reservation dates.
Marriott says that it first received an alert of the breach on September 8th 2018 from an internal security tool, but later realized that unauthorized access to data within its Starwood network has been taking place since 2014, two years before Marriott acquired Starwood in 2016.
Questions have arisen as to how the breach was not detected at the merger, and the two years it continued after the acquisition without detection suggests Marriott did not have adequate cybersecurity tools in place to protect sensitive customer data.
The hack is thought to be financially motivated but could be related to monitoring people of interest. The Russian government is linked to a hacking group which previously targeted hotels across Europe and the Middle East.
Marriott has set up a website for people impacted by the breach to get information. The chain is also offering guests the opportunity to enrol in a site that monitors places on the web where people’s personal information often pops up after a breach, and then notifies you if your info makes an appearance.
Marriott-owned Starwood is the largest hotel chain in the world, though Marriott customers do not appear to be affected at this stage.
Marriott shares were hammered on Friday, dropping 6%, indicating clear materiality attached to data breaches.