500M hit by Marriott data breach; intrusion undetected since 2014
- Marriott International disclosed a data breach impacting 500 million guests, according to a company announcement Friday. About 327 million of those guests had information such as passport numbers and addresses compromised. Payment card numbers were also duplicated for some guests.
- The hospitality company found its Starwood reservation database had been compromised since 2014. The perpetrators had copied and encrypted the information and begun the process of removing it.
- Law enforcement has been notified and Marriott is in the midst of notifying necessary regulatory authorities, according to the announcement.
Equifax, Yahoo and Uber were the most notorious disclosed breaches of 2017, and 2018 almost squeaked by without a breach massive enough to compare. Until now.
Marriott's security shortcomings "underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication," said Bimal Gandhi, CEO of Uniken, in an email to CIO Dive.
Marriott was notified of an intrusion on Sept. 8 by an internal security tool, alerting the company of an unauthorized attempt to access its Starwood guest reservation platform.
Marriott didn't complete its acquisition of Starwood Hotels and Resorts Worldwide until September 2016. The deal created the largest hotel chain in the world.
System migrations can take years, and companies can unknowingly inherit flaws. Ensuring security continuity among systems acquired in a business deal requires audits and experts to ensure systems are streamlined.
The company enlisted security experts to investigate the intrusion and found the access point from 2014. By November 19, Marriott was able to decrypt the stolen data.
The investigation is ongoing but has found that for about 327 million impacted guests in the Starwood Preferred Guest platform, the following information was impacted:
- Mailing address
- Phone numbers
- Passport numbers
- Starwood Preferred Guest account information
- Birth date
- Arrival and departure information
- Reservation date and communication preferences
With information so easily sold and distributed on the dark web, Marriott's security breach "represents a potential point of attack" on its impacted guests, said Gandhi.
Follow Samantha Ann Schwartz on Twitter