Unidentified hackers had had access to the hotel chain’s reservation database since 2014, Marriott International admitted, stating that management only discovered the breach after an internal security tool alerted them in September to an unauthorized attempt to access the Starwood database.
At least 327 million guests’ names, passport numbers, phone numbers, emails, and birthdays were exposed, and some guests had their credit card numbers and security codes stolen as well – but not to worry, Marriott says. That data was encrypted. “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” they admit.
For millions of others, up to an estimated total of 500mn guests, the stolen info was “limited” to name, contact data, and unspecified “other information.” Affected guests are being notified “on a rolling basis,” according to a press release, which is surely no comfort to those customers already infuriated that the hotel waited two months to notify them of the breach.
The statement left Marriott customers with a lot of unanswered questions, such as: How did it take them two months to figure out what data was accessed, and why did they wait another two weeks before informing those affected? But guests shouldn’t feel like the only ones left out of the loop. Marriott has only just begun informing regulators, though law enforcement, it seems, was told a bit earlier, as Marriott claims the company “continues to support their investigation.”
Most companies bite the bullet and notify customers as soon as they discover a breach – particularly one of this magnitude, which dwarfs last year’s Hyatt and InterContinental hacks. Not Marriott, which has not even finished “identifying duplicate information in the database” – meaning more information could have been taken from more guests than they’ve let on.
Marriott acquired Starwood in 2016, meaning the breach had already occurred when they took possession of the brand, which includes the W, Sheraton, Westin, St. Regis, and Le Meridien chains. Marriott’s stock dropped six percent after the news broke on Friday.
A Marriott representative claimed the hack would not affect the company’s long-term financial health, though the company was consulting with its insurance carriers to assess liability. But by letting the personal information of even a single European customer leak without their consent, Marriott could have violated the GDPR, putting it on the hook for as much as four percent of its global revenues – to say nothing of potential class action suits from the rest of the hacking victims. New York, Maryland, and Pennsylvania State Attorneys General have already opened or announced plans to open investigations into the breach.
More about: hacking