Marriott data breach: New York Attorney General opens investigation into hack that may have affected 500 million guests

The massive data breach may be one of the largest on record

Chris Riotta
New York
Friday 30 November 2018 12:00 EST
Comments
Marriott Starwood hack: booking database data compromised in cyber attack that could affect half a billion people

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

New York’s Attorney General has launched an investigation into a major data breach impacting the global hotel chain Marriott.

Officials believe as many as 500 million guests who have stayed at Marriott hotels over the years could have been affected in the security breach, which may be among the largest on record.

“We fell short of what our guests deserve and what we expect of ourselves,” CEO Arne Sorenson said in a prepared statement. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

In a tweet Friday, Attorney General Barbara Underwood said residents need to know that their personal information is safe after Marriott revealed unauthorized access to data within its Starwood network has been taking place since 2014 in what may be among the largest data breaches on record.

Marriott acquired Starwood in 2016 and the process of merging its computer system with Starwood computers has been marred by technical glitches.

Email notifications to those who may have been affected will begin rolling out Friday. While the breach affected “approximately 500 million guests” who made a reservation at a Starwood hotel, some of those records could include a single person who booked multiple stays. The company manages more than 6,700 properties across the globe.

The company said credit card numbers and expiration dates of some guests may have been taken. For as many as two-thirds of those affected, data exposed could include mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

Asked for more details on the 500 million number, Marriott spokesman Jeff Flaherty said Friday that the company has not finished identifying duplicate information in the database.

An internal security tool signalled a potential breach in early September, but the company was unable to decrypt the information that would define what data had potentially been exposed until last week.

Support free-thinking journalism and attend Independent events

Marriott, based in Bethesda, Maryland, said in a regulatory filing that it’s premature to estimate what financial impact the data breach will have on the company. It noted that it does have cyber insurance, and is working with its insurance carriers to assess coverage.

The Starwood breach stands out among even the largest security hacks on record. Hilton had two separate data breaches that exposed more than 350,000 credit card numbers. One breach began in November 2014 and another in April 2015. Yahoo had a data breaches in 2013 and 2014 that impacted about 3 billion of its accounts. Target also had an incident in 2013 that affected more than 41 million customer payment card accounts and exposed contact information for more than 60 million customers. Last year, Equifax disclosed a data breach that affected more than 145 million people.

Additional reporting by AP.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in