Marriott Breach Exposes Personal Info Of Up To 500 Million Guests

Marriott International disclosed Friday that passport numbers and payment card information have been compromised due to a breach of the Starwood guest reservation database.

The 6,700-property hotel chain learned during its investigation that there had been unauthorized access to the Starwood network between 2014 and Sept. 10 of this year. Specifically, Marriott said that an unauthorized party had copied and encrypted information, and taken steps toward removing it.

Marriott was able to decrypt the information on Nov. 19, and determined that the information accessed includes data on as many as 500 million guests who had made a reservation at a Starwood property. For 327 million of those guests, the personal data compromised includes names, addresses, dates of birth, passport numbers, email addresses and phone numbers, and arrival and departure information.

[Related: Dell Network Breached In Attempt To Extract Customer Information]

Threat actors also obtained payment card expiration dates and an encryption version of the payment card numbers for some of the guests. However, Marriott has been unable to rule out that both of the components needed to decrypt the payment card numbers were also taken.

Marriott said it has reported the information to law enforcement and begun notifying regulatory authorities. The company was first alerted to an attempt to access the Starwood reservation database on Sept. 8.

"We deeply regret this incident happened," Arne Sorenson, Marriott's president and CEO, said in a statement. "We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

Marriott said it would start Friday sending out emails on a rolling basis to guests whose email addresses are in the Starwood guest reservation database. The company also said it is devoting the necessary resources to phasing out the Starwood systems and accelerating ongoing security improvements to Marriott's network.

Starwood includes brands such as Sheraton, W and Westin, and was purchased in 2016 by Marriott for $12.2 billion.

Guests from the U.S. will have access to free fraud consultation services and reimbursement coverage, as well as access to a free one-year subscription to WebWatcher, which monitors internet sites where personal information is shared and generates an alert to the customer if evidence of their personal information is found.

Marriott has also set up a dedicated website and call center to deal with questions guests might have about the breach. The company's stock is down $5.84, or 4.79 percent, to $116.00 in pre-market trading Friday.

In a filing Friday with the U.S. Securities and Exchange Commission, Marriott said it was premature to estimate the financial impact of the breach to the company, although Marriott doesn't believe the incident will impact its long-term financial health. Marriott said it carries cyberinsurance commensurate with the size and nature of its operations, and is working with insurance carriers to assess coverage.

Marriott said it will separately disclose costs and corresponding insurance reimbursements specifically related to this breach. The company also said it is committed to maintaining its investment-grade credit rating.

The company's disclosure comes just two days after Dell indicated the possibility that some customer account names, email addresses and hashed passwords were removed from the company’s network. And in September, Facebook said that hackers had exploited a vulnerability in the social media giant's code to potentially take over nearly 50 million people's accounts.