Marriott International Inc., the parent company of leading hotel chains such as the Ritz-Carlton and JW Marriott, has suffered a data breach which exposed the details of some 500 million guests.
Since 19 November, the company has been investigating unauthorised access of a guest reservation database belonging to its Starwood subsidiary dating back to 2014.
A statement released by Marriott states: “On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States.
“Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.
“The company recently discovered that an unauthorised party had copied and encrypted information, and took steps towards removing it.”
Marriott data breach: Scale of the breach
The breach has potentially exposed the names, addresses, phone numbers, email addresses, date of birth, gender, passport numbers, account information, booking information and communication preferences of up to 327 million guests.
The database also contained encrypted credit card information of some of those guests. The company is unable to confirm that the components needed to decrypt this information was not also taken during the breach.
“There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” the statement read.
Such a large scale breach of personal data could make it the second biggest to-date, behind only the 2013 Yahoo! breach in which the details of some 3 billion users were compromised.
Javvad Malik, security advocate at AlienVault, described the breach as like “leaving the key for the front door under the mat”, with poor security practices likely to have resulted in one of the biggest breaches in history.
“This seems like a particularly big breach, not just because of the number of records taken, but also the details that were contained within,” Malik said.
“It appears as if detection capabilities were not adequate, taking several weeks to notice the breach and extraction of records. It is good that the credit card database was encrypted, but if, according to the company, the attackers were able to take the decryption key, then it was of no use. The digital equivalent of leaving the key for the front door under the mat.”
Law enforcement has been alerted and Marriott is continuing to support their investigation. Data regulation authorities have also been informed, which could lead to costly regulatory fines.
“We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward,” Arne Sorenson, CEO of Marriott International said.
Starwood Hotels, purchased by Marriott in 2016, operates the Westin, Sheraton, Four Points, W Hotels, St. Regis, Le Méridien, Aloft, Element, Tribute Portfolio and Design Hotels chains. According to the company’s latest annual report, it currently operates 6,500 properties in 127 countries and territories.
While the breach started in 2014, Marriott has confirmed that the unauthorised activity that led to the discovery occurred on 8 September 2018 – four months after GDPR came into force.
Could Marriott face a GDPR fine?
Starwood is a US-headquartered subsidiary and while we don’t know the geographical breakdown of affected customers, it is highly likely that some European data was among the 500 million individuals compromised.
These two factors would mean that the breach falls under the remit of the General Data Protection Regulation (GDPR), which threatens a maximum fine of €20m or 4% of global annual turnover.
With Marriott’s revenue in 2017 standing at $22.894bn, the hotel chain faces the possibility of a $916m penalty. However, GDPR fines are determined on a sliding scale depending on a number of factors. These include the type of data accessed, preventative and reactive measures taken by the company and time taken to discover the breach.
Because the breach occurred across a four-year period, it is unclear how data regulators will break down the investigation, or which year’s turnover they will use to determine the fine.
With a breach of this timescale and high volume of data, it is likely that data regulators from multiple international jurisdictions will pool together their information.
Joseph Carson, Chief Security Scientist at Thycotic said:
“The major problem of such data breaches in the past is that those companies who have been entrusted to protect their customer data have only offered up to one year of identity theft protection. But, many of the identity information that is stolen typically can last between 5-10 years such as drivers licenses and passports. So while victims may get some protection, they are at serious risk for years unless they actively replace compromised identity documents which is done at a cost.
“Companies who fail to protect their customers should be at least responsible for the cost of replacing compromised information and documents rather than deflecting responsibility and accountability.”