Marriott Starwood hack: Booking database data compromised in cyber attack that could affect half a billion people

Hackers may have had the information for four years before hotel company noticed

Andrew Griffin
Friday 30 November 2018 07:48 EST
Comments
Marriott Starwood hack: booking database data compromised in cyber attack that could affect half a billion people

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A booking database run by the Marriott hotel chain has been hit by a vast hack that could affect half a billion people.

The vast collection of people’s personal information, used to book rooms at its Starwood properties, has been accessed by unauthorised people since 2014, it said.

The cyberattack included information about those people’s credit cards that could be used to steal money, Marriott warned.

That sensitive information was protected by encryption that should have meant it was unreadable even if people had access to the database. But the hackers may also have stolen the keys needed to decrypt that data and see what it said, the company warned.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s president and chief executive. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.

“Today, Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call centre. We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”

Marriott was first alerted to a potential breach in September, it said, when an internal security tool found someone was trying to access its database. It then found that people seemed to have been in the database since 2014, and they had copied information apparently with a view to taking it.

The company said it had informed law enforcement and was working with them on the investigation. It said it is also notifying the relevant regulatory authorities – in Europe, those regulators can impose substantial fines for such breaches, under new data protection regulation.

It also said it had set up a dedicated website and call centre for customers who fear their data might have been part of the hack, and will start sending out emails to customers immediately. Customers will also be given a year’s free access to a monitoring service, which will crawl the internet to see if their personal information is being shared.

Marriott bought Starwood in 2016, adding a host of luxury hotels and resorts and creating what it said was “the world’s largest and best hotel company”.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in