Tag: Marriott

Update regarding the data breach at Marriott

7. January 2019

Marriott International Inc, the world’s largest hotel company, based in the USA, which was hit by a data breach in 2018, has announced new information regarding the breach in which unauthorized access to the Marriott subsidiary Starwood’s reservation database was made (we reported).

Contrary to initial statements, not 500 million records of hotel guests but only 383 million are affected. It should be noted that for a guest who has stayed several times in one of the hotels belonging to the Marriott Group, there is one record for each overnight stay. According to this, not 383 million people were affected, but fewer. However, the Marriott Group cannot give the exact number of people affected.

In addition to the corrected number of victims, Marriott announced that some confidential data such as passport and credit card numbers were unencrypted. About 5,25 million unencrypted and about 20,3 million encrypted passport numbers could be viewed by unauthorized persons. According to the company, the master key for decryption was not copied.

In addition, around 8,6 million encrypted credit card numbers were affected, of which only 345.000 were still valid. Here, too, the master key could not be captured. At the moment, it is still being investigated whether credit card numbers entered in the wrong fields and thus stored unencrypted are affected.

Marriott International – data breach affecting 500 million customers

3. December 2018

Marriott International Inc., the world’s largest hotel company, was hit by a data breach affecting up to 500 million customers.

Marriott said it has found a data breach in the Starwood guest reservation database regarding the hotels ‘Westin’, ‘Sheraton’, ‘Le Méridien’, ‘St. Regis’ and ‘W Hotels’. The main brand Marriott does not belong to it. Marriot had bought its competitor Starwood in 2016 and thus obviously their security gap at the same time.

Up to 500 million customers may have been affected by the breach and, of those impacted, roughly two-thirds had their names, addresses, phone numbers, email addresses, passport numbers and duration of stay compromised. It is also possible that payment card information were caught in the breach.

An internal tool alerted a potential data breach on September 8th, 2018. An investigation subsequently initiated revealed that the guest database may have been compromised since 2014. At the moment Marriott could not rule out the possibility that the files needed for decryption had also been stolen. This would mean that the attackers could also use the stolen data to, for example, shop with them.

As a result, Starwood’s IT systems will be phased out.

Since Friday, those affected have also been informed and customer can find out more on the website.