Marriott discovered athat could’ve impacted up to 500 million guests, it said Friday.
Thegroup revealed that hackers compromised the guest reservation database of its Starwood division, whose brands include Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis, up to Sept. 10.
Its Marriott-branded hotels use a separate reservation system on a different network, the BBC reported.
An internal investigation found that the network was first breached in 2014, and that “an unauthorized party had copied and encrypted information.” For around 327 million of those impacted, that data included names, addresses, phone numbers, emails, passport numbers and travel details.
Data breaches have become an all too common problem for businesses and consumers alike, with no sign of slowing down. Last month, for instance, Hong Kong airlineit suffered a data breach that impacted 9.4 million people. In September, a breach that put the data of 50 million users at risk. And the ripple effects of older incidents continues to be felt: Just a month ago, Yahoo said it will have to as part of a settlement following massive data breaches in 2013 and 2014.
Lawmakers have taken notice, and they’re looking for ways to press companies to accept more responsibility. In Congress,a proposed Consumer Data Protection Act, which, among other things, would threaten CEOs with possible jail time if they’re found to have lied about their data protection efforts.
In the UK, the Information Commissioner’s Office said that Marriott had informed it of the breach and that it’s making inquiries into the matter. The watchdog agency also addressed the victims of the breach.
“We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online,” an ICO spokesman said in an emailed statement.
Meanwhile, New York’s attorney general said in a tweet that her office has opened an investigation.
Marriott noted that some of the stolen information also included payment card numbers and expiration dates. Even though this data is normally encrypted, the company said the encryption key data might’ve been stolen too.
An internal security tool alerted Marriott to a potential breach on Sept. 8, but it only determined the content of the stolen data on Nov. 19.
The company will start notifying affected guests via email from Friday, and it has set up an information website and call center. It’s also offering guests in the US and some other countries a year’s subscription to WebWatcher, a fraud detection service.
“We fell short of what our guests deserve and what we expect of ourselves,” said Arne Sorenson, Marriott’s president and CEO, in a release. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
Starwood was previously impacted by a malware attack in 2016, the same year Marriott bought it for $13 billion. The following year, more than 1,200 properties run by the InterContinental Hotels Group fell victim to a three-month malware attack targeting payment card data.
First published at 5:11 a.m. PT.
Updated at 6:31 a.m. PT: Added more details about the Marriott breach.
Updated at 6:58 a.m. PT: Added New York AG’s statement and background about recent data breaches.
: It’ll let you know if the website you’re visiting suffered a data breach.
: A vulnerability put the data of 50 million users at risk