It has been twelve months since the major hospitality company unveiled a data breach that affected millions of people, so it’s time to look back and see what happened. The Marriott hotel chain announced a major database breach that could affect anyone who stayed at its 6,700 worldwide Starwood hotel properties since 2014—up to 500 million people in total.
A breach this massive made Marriott’s Starwood incident among the largest breaches ever. The 2013 Yahoo breach, which affected as many as 3 billion accounts, remains the largest so far. A separate subsequent Yahoo breach also hit 500 million accounts.
So, how did this happen? Marriott says it received an alert from an internal security tool on the 8th September warning of an attempt to access the Starwood’s guest reservation database in the United States. In its investigation of the incident, Marriott learned that an unauthorised party gained access to the company’s customer database and “copied and encrypted information and took steps toward removing it.”
Marriott decrypted the duplicated data but said it contained information on as many as 500 million guests who made a reservation at a Starwood property. For about 327 million of them, Marriott said, the data included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.
“This is big … the biggest threat to U.S. national security that we have ever faced” from data breaches, said Peter Aiken, associate professor of information systems at the Virginia Commonwealth University School of Business.
That’s because data from Marriott’s massive Starwood breach can be combined with that from earlier breaches such as those at Equifax, Target and dating site Ashley Madison, some of which included official government email addresses. Cybercriminals or foreign actors more readily target “people who are vulnerable from a national security perspective,” Aiken said.
Perhaps most important was the response from the European Union, which 18 months ago enacted the GDPR (General Data Protection Regulation) with provisions for improved security and privacy policies for EU residents’ personal information. The Starwood breach was global, but Marriott has not detailed specifics on what countries were hardest hit.
Marriott completed its $13 billion acquisition of Starwood Hotels and Resorts in September 2016 to make the combined company the largest hotel chain in the world with more than 5,500 hotels at the time. Marriott now has more than 6,700 hotels.
After the merger, members of the Marriott Rewards and Starwood Preferred Guest programs were able to link their accounts. However, Marriott uses a separate reservation system on a different network for Marriott hotels. Instead of stressing cybersecurity and care of the Starwood database during the companies’ merger, Marriott now “will suffer for it long after,” Forrester’s Pollard said. For Marriott and its customers who frequent Starwood hotels, “this is going to have a long tail.”