Data of 500m customers of Marriott International hotel group have been breached. The hotel chain stated that its Starwood division’s guest reservation database was compromised by one unauthorized party. An internal investigation discovered that since 2014 an attacker was accessing Starwood network. The firm said that customers involved in the breaching would be notified. In 2016, Marriott International purchased Starwood leading to creation of the world’s largest hotel chain with over 5,800 properties. Starwood hotel brands include Le Méridien, Sheraton, W Hotels and Sheraton’s Four Points. Marriott hotels utilize separate reservation system on a distinctive network.
An internal security tool alerted Marriott about someone trying to access Starwood database who was found to have ‘copied and encrypted’ data from the database which is believed to have contained information about 500m customers. For around 327m customers, the stolen records included combinations of names, addresses, phone numbers, email addresses, passport numbers, genders, dates of birth and information about arrivals, departures and accounts. Some encrypted payment card information might have also been stolen along with the encryption keys. The company stated its deep regret about the situation and also set up a website to inform the affected customers. Regulatory authorities have also been notified. Victims of this data breach have been offered 1-year-long subscriptions to a fraud-detecting service.
Marriott stated that reservation details till September 10, 2018 had been stolen. The situation regarding payment information isn’t entirely clear and hence customers have been told to be aware of suspicious transactions made from their accounts. Fraud emails representing Marriott group might also be sent. Anyone with doubts about the problem has been told to contact authorities via helpline number provided to them.
Although worse data breaches have occurred before, this can be considered a serious one as affected group includes 500m customers. The hotel chain, whose headquarters are located in USA, will comply with GDPR rules of EU when dealing with EU citizens. International regulators like ICO believe that the company took too long to act, even with all the regulatory measures being taken.