Marriott Reveals 4-Year Long Data Breach Affecting 500 Million Guests

Marriott International, Inc., the world’s largest hotel chain, disclosed a massive data breach that lasted for 4 years, exposing personal and financial information of its 500 million guests, specifically guests who made a reservation at Marriott’s Starwood properties.

Marriott has more than 6,700 properties in 129 countries and territories, including Canada. Thirty leading hotel brands are under the Marriott umbrella. Marriott has since become the world’s largest hotel chain after acquiring Starwood Hotels & Resorts Worldwide in September 2016. Starwood hotels include Sheraton, W Hotels, Westin, Aloft and St. Regis.

In a statement, Marriottsaid that the network that contained guest information relating to reservations at Starwood properties was illegally accessed from 2014 up to September 10, 2018. Marriott said that an unauthorized party copied, encrypted the information from the compromised network and took steps towards removing it. The data encryption done by the unauthorized party is believed to be a means to avoid detection by any data-loss prevention tools.

The hotel chain said it became aware of the problem on September 8, 2018 and on November 19, 2018, it decrypted the information and determined that the contents were from the Starwood guest reservation network.

Marriott said that out of the 500 million affected guests, information of 327 million of these guests, including name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences was illegally accessed. 

For some of these guests, Marriott said that information, including payment card numbers and payment card expiration dates was accessed without authorization. Even as the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), the company said that it couldn’t rule out the possibility that the unauthorized party decrypted the payment card numbers. The company added that data illegally accessed from the remaining guests was limited to name, mailing address, email address or other information.

The hotel chain said that its own Marriott-branded hotels aren’t affected as they use a different network that wasn’t breached.

“We deeply regret this incident happened,” said Arne Sorenson, Marriott’s President and Chief Executive Officer. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

Marriott didn’t specify exactly when in 2014 that the data breach started. It’s worthy to note that back in November 2015 Starwooddisclosed its own data breach affecting nearly 100 Starwood hotels in North America.

Sergio Rivera, President of Starwood Americas, said that point of sale systems at restaurants, gift shops and other point of sale systems on these affected hotels were infected with a malicious software (malware), enabling attackers to access payment card data of an unspecified number of customers. Rivera added that the malware that infected Starwood hotels was designed to collect payment card information, including cardholder name, payment card number, security code and expiration date.

“We want you to know that the affected hotels have taken steps to secure customer payment card information, and the malware no longer presents a threat to customers using payment cards at our hotels,” Rivera said.

Impact of the Marriott Data Breach

The Marriott data breach ranks as the second biggest data breach in history, following only Yahoo with 3 billion compromised accounts. The data breach at Marriott is followed by the data breach at Adult Friend Finder with 412 million compromised accounts, followed by the Equifax data breach affecting 146 million customers and the Ebay data breach affecting 145 million users.

Bloomberg reported that as a result of the data breach, Marriott shares slumped as much as 6.9%.

Marriott said that it has already begun notifying regulatory authorities. Corey Larocque, a spokesperson with the Canadian Office of the Privacy Commissioner, told CBCthat Marriott informed the office of the breach and the office is “following up” with the company.

Since November 1, this year, Canada’s Digital Privacy Act mandates private organizations to notify the Privacy Commissioner of Canada and to notify the affected individuals once it’s determined that the data breach poses a “real risk of significant harm” to any individual. Failure to notify the Privacy Commissioner of Canada and the affected individuals are considered as separate offenses and subject to separate fines of up to $100,000.

Elsewhere, New York’s attorney general Barbara Underwood announced that her office opened an investigation into the Marriott data breach. “New Yorkers deserve to know that their personal information will be protected,” Underwood said.


The 4-year long data breach at Marriott is an eye-opener to many organizations that cyber criminals are after vulnerable computer networks.

Starwood, in its data breach disclosure, didn’t specify the specific malware that infected its systems. In the latest data breach, Marriott didn’t specify how the attackers were able to break into Starwood’s network after it acquired Starwood. Marriott also didn’t specify why it took years for the company to detect the intrusion.

One of the security best practices, in order to prevent network intrusion, is by keeping all software up-to-date. Computer networks that use outdated server operating systems are particularly vulnerable to malware intrusion. Many malware programs infect networks by exploiting security vulnerabilities that software vendors have already issued security updates, but users haven’t installed them in a timely manner.

Contact ustoday if you need assistance in protecting your organization’s networks against malware intrusion. 

Leave a Reply

Your email address will not be published. Required fields are marked *