Marriott warns of hack. 500 million Starwood hotel guests’ personal data could be exposed

“We fell short of what our guests deserve and what we expect of ourselves.”

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Marriott warns of hack. 500 million hotel guests' personal data could be exposed.

There’s bad news if you’re one of the 500 million hotel guests whose data was included on the Starwood guest reservation database.

According to the Marriott hotel group, the guest reservation database used for Starwood reservations has been accessed by hackers, exposing the private details of up to 500 million guests.

This includes those who have stayed at the following hotel chains: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton, and Design Hotels that participate in the Starwood Preferred Guest (SPG) program. Starwood branded timeshare properties are also included.

Sign up to our free newsletter.
Security news, advice, and tips.

Note that it doesn’t matter if you are a Starwood Preferred Guest (SPG) member or not, if you made a reservation on or before September 10, 2018 for a Starwood property Marriott believes the details you provided may have been compromised.

Marriott’s own-branded hotels use a separate reservation system that the company says is on a different network, and not affected.

In an advisory published today (isn’t it funny how so many breaches are announced just before a weekend?), Marriott says it first received a security alert about an attempt to access the Starwood database on September 8 2018.

Starwood security

During its subsequent investigation Marriott discovered that there had been unauthorised access to the Starwood network since 2014 (Marriott acquired the Starwood Hotels group in 2016 for US $12.2 billion.)

Yes, you read that correctly – hacks of the Starwood reservation database appear to have been going on since 2014.

At the start of last week – on November 19 2018 – Marriott was able to confirm that data had indeed been stolen from Starwood’s network, and issued its warning today.

Marriott says that it believes the stolen data contains information on “up to approximately 500 million guests who made a reservation at a Starwood property”.

“For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information.”

Even if the payment card information is not capable of being decrypted by the hackers, there is plenty of information there which scammers and fraudsters could exploit to their criminal advantage.

Marriott says it has informed law enforcement authorities about the incident, and will assist them in their investigations.

But many will also be wondering what this might mean in terms of GDPR, as there will be many people included in that database who were resident in the European Union.

GDPR, which came into force earlier this year, allows for fines of up to 20 million Euros or 4% of a company’s global annual turnover – whichever is higher.

Ouch. I wonder how Marriott’s share price is going to perform today?

If you’ve stayed at one of the hotel chains affected by this data breach, check out the FAQ from Marriott.

Readers with long memories may recall that Starwood and Marriott hotels have had their fair share of run-ins with cybercriminals in the past, but from the sound of things this data breach is on a much larger scale.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.