Huge Data Hack At Marriott Starwood Hotels Compromises Info Of 500 Million People

FILE - In this Tuesday, April 30, 2013, file photo, a man works on a new Marriott sign in front of the former Peabody Hotel in Little Rock, Ark. Marriott says the information of up to 500 million guests at its Starw... FILE - In this Tuesday, April 30, 2013, file photo, a man works on a new Marriott sign in front of the former Peabody Hotel in Little Rock, Ark. Marriott says the information of up to 500 million guests at its Starwood hotels has been compromised. It said Friday, Nov. 30, 2018, that there was a breach of its database in September, but also found out through an investigation that there has been unauthorized access to the Starwood network since 2014. (AP Photo/Danny Johnston, File) MORE LESS
Start your day with TPM.
Sign up for the Morning Memo newsletter

BETHESDA, Md. (AP) — The information of as many as 500 million people staying at Starwood hotels has been compromised and Marriott says it’s uncovered unauthorized access that’s been taking place within its Starwood network since 2014.

The company said Friday that credit card numbers and expiration dates of some guests may have been taken. For about 327 million people, the information exposed includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

Marriott said that there was a breach of its database in September, which had guest information related to reservations at Starwood properties on or before Sept. 10.

Starwood operates hotels under the names: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.

Marriott International Inc. discovered through the investigation that someone copied and encrypted guest information and tried to remove it.

Marriott and Starwood merged two years ago and attempts to combine the loyalty programs for the hotels have been marred by technical difficulties.

CEO Arne Sorenson said in a prepared statement Friday that Marriott is still trying to phase out Starwood systems.

Marriott has set up a website and call center for anyone who thinks that they are at risk, and on Friday will begin sending emails to those affected.
Shares of Marriott tumbled 6 percent before the opening bell.

Latest News

Notable Replies

  1. “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences.”

    Why does a hotel have passport numbers? At least in most countries, hotel guests no longer have to show passports or leave them with hotel staff. (I’m old enough to remember when, at least in parts of Europe, that was common.)* And date of birth? Gender? It may be apparent from name, but otherwise, what business is it of the hotel?

  2. I saw the headline and thought that it was going to be a story about somebody who monitored salesmen looking at porn, but this is a big dam deal. The information hacked is exactly the sort of information hackers need for identity theft. What was Marriott thinking? Was it thinking at all? It sounds like its IT security was very lax.

  3. It’s info to join the rewards program.

  4. Avatar for jmacaz jmacaz says:

    Not that it lessens the severity, but at the time Starwood was not yet part of Marriott.

  5. Fines for companies that require this kind of info need to be such that it puts their continued existence at risk. Willful neglect like this under HIPPA rules could result in more fines than the company’s total value. Until then, there’s simply no incentive for them to do anything about it. Breaches like this essentially cost them nothing.

Continue the discussion at forums.talkingpointsmemo.com

6 more replies

Participants

Avatar for system1 Avatar for paulw Avatar for rutrow Avatar for old_curmudgeon Avatar for voreason Avatar for ottnott Avatar for ronbyers Avatar for gusfabriani Avatar for jmacaz Avatar for fuashcroft Avatar for greysea

Continue Discussion
Masthead Masthead
Founder & Editor-in-Chief:
Executive Editor:
Managing Editor:
Deputy Editor:
Editor at Large:
General Counsel:
Publisher:
Head of Product:
Director of Technology:
Associate Publisher:
Front End Developer:
Senior Designer: