Marriott has announced it has suffered a security incident affecting approximately 500 million guests who made a reservation at a Starwood property.
Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) programme.
On 8 September 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott learned during the investigation that there had been unauthorised access to the Starwood network since 2014. They discovered that an unauthorised party had copied and encrypted information. On 19 November 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
Marriott has not finished identifying duplicate information in the database, but believes it contains information on up to approximately 500 million guests who made a reservation at a Starwood property. For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates.
James Hutchinson, a Partner at Beale & Co specialising in data protection, commented:
“This is significant breach affecting approximately half a billion people. Marriott customers will want to know why their personal data was exposed for so long without Marriott’s knowledge and what the impact on them will be.
The Information Commissioner's Office is likely to investigate why it took Marriott so long to announce the breach. The GDPR requires organisations to report data breaches to the ICO within 72 hours. Did they do so? Marriott are also required to advise affected individuals "without undue delay". The time Marriott has taken will be closely examined by the ICO.”
Marriott has set up a website to give affected individuals details of what they can do if they think their data has been compromised. They will also offer customers in the UK a year's subscription to WebWatcher. The site is available here.