REPORT FROM THE U.S.—A wide array of sensitive data—including names, addresses, dates of birth, passport numbers and credit card information—were copied by an unauthorized party from Starwood Hotels & Resorts Worldwide’s reservation system over a four-year span, according to Marriott International officials.
Affecting up to 500 million guests, the data breach is “one of the largest data breaches ever disclosed, measured by the number of individuals potentially affected,” The Wall Street Journal reports. It is eclipsed only by a 2013 breach of Yahoo that had an impact on nearly 3 billion people and another Yahoo hack in 2014 that affected roughly 500 million. That would make the breach of Starwood’s systems the largest in the history of the hotel industry.
Reuters reports the Office of the New York Attorney General has opened an investigation into the breach.
In a news release issued Friday morning, Marriott officials noted they first uncovered the unauthorized access to the legacy Starwood guest reservation data in the U.S. in early September, and further investigation revealed on 19 November the contents of the copied data.
“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences,” the release notes.
“For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”
Marriott has started a dedicated website and call center for concerned guests and is offering a free year-long subscription to a service that monitors if a guest’s personal information is offered for sale online.
Marriott completed its acquisition of Starwood in September 2016, meaning the breach was ongoing for roughly two years before that deal closed.
Marriott officials did not respond to a request for interview, nor did they specify if the discovery of the breach was related to the monthslong integration of back-end systems at legacy Starwood hotels and brands to Marriott’s systems.
The integration of systems and sales teams has been an ongoing talking point during quarterly earnings calls for companies with legacy Starwood properties, mostly related to how the shifts have negatively impacted performance at some properties.
In a statement included in the news release, Marriott President and CEO Arne Sorenson noted officials “deeply regret this incident happened.”
“We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center,” he said. “We will also continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network.”
An ‘eye-opening’ moment
Ted Harrington, executive partner with hospitality security consulting firm Independent Security Evaluators and a regular speaker on security issues in the hotel industry, said it might be easy to criticize a company like Marriott following a breach of this magnitude, which he described as “eye-opening,” but there are important lessons to learn for all hoteliers.
“If the world’s largest hotel company, even with all of its resources, can suffer such a massive and extended breach like this, then the rest of the industry should recognize the severity of the challenge ahead of us,” he said via email. “Security is not just an IT issue; it is a critical, board-level priority and should be treated and resourced accordingly. (Chief information security officers) should be empowered with suitable budget, headcount, and should report directly to the CEO, rather than another member of the C-suite—such as (chief information officer or chief technology officer)—which is commonly the case in the hospitality industry.”
Harrington’s suggestion for property-level hoteliers is to “coordinate with the brand’s incident response team to determine what steps you can take to support the recovery effort.”
“Most importantly, coordinate with the brand about what to tell guests; they will be concerned and likely won’t be mollified by platitudes and generalities, but likely will appreciate candid responses about the situation and what is being done to protect them,” he said.
He said if there’s a silver lining to the breach, it’s that it underscores the importance of security.
“Hopefully this event can result in changes in how leadership perceives security: as a mission to be pursued, rather than a cost to be minimized,” Harrington said. “Hopefully this event can result in security leaders becoming more empowered with more suitable resources and better-aligned executive buy-in.”
- For more on data breaches in the hotel industry, read HNN’s data breach special report.
Investor sentiment
In a note to investors, Mike Bellisario, VP and equity research senior analyst at Baird, said the news could hurt Marriott in the eyes of Wall Street.
“We believe investor sentiment toward Marriott could remain somewhat negative in the near term until this security incident is fully resolved and its true financial impact is learned,” he wrote. “Also, we’ll be keeping a close eye on customer demand/loyalty, which could slip a bit in the near term, in our opinion.”
Bellisario said the breach will fuel “customer concerns about merger-related hiccups, particularly surrounding the loyalty program integration.”
“But we believe Marriott will continue to take the necessary steps to protect its biggest asset—its customers and their loyalty—and to ensure a successful merger integration process,” he continued. “However, as a result of these recent Marriott-specific headwinds, which are likely to pass over time, we believe Hilton and Hyatt (from a stock perspective) will be the relative winners.”
As of press time, Marriott’s stock was trading at $115.71 a share, down 5% since markets opened.