Marriott announced today that there has been unauthorized access to the Starwood guest reservation database since 2014. It is not known how the system was hacked, but up to 500 million guests may be compromised.
The incident concerns only the Starwood reservations data because Marriott hotels have a separate system running on a different network. It affects anyone with a reservation at a Starwood property on or before September 10.
The information accessed and copied by the attackers includes the guest name and possibly physical and email addresses. For 327 million people, however, the exposed data also contains the passport number, Starwood Preferred Guest (SPG) account details, date of birth, gender, arrival, and departure information, reservation date, and communication preferences.
Payment information - card numbers and expiration dates - was also present in the database, and although encrypted with the AES-128 algorithm, Marriott has not been able to determine whether the decryption components. If they were taken, it would have allowed the attackers to gain access to credit card information.
For those affected, Marriott is offering a free 1 year subscription to WebWatcher, which monitors web sites that share personal information and notify you if your information was detected. This offer is only available to members from the United States, Canada, and the United Kingdom.
An internal security tool on September 8 this year alerted of an attempt to access the database. Security experts were called to determine the cause of the notification.
The investigation revealed that unidentified parties had unauthorized access to the Starwood network since 2014, two years before Marriott bought the Starwood properties, which include the following hotels: Starwood brands include: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels that participate in the Starwood Preferred Guest (SPG) program. Starwood branded timeshare properties are also included.
"Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database," the hotel chain says in a information site setup for this incident.
The hospitality company set up a call center available in multiple languages, open seven days a week, for people that want to learn more about the incident.
Starting today, the company sends emails to affected guests that had their email addresses compromised.
Marriott warns that crooks may try to use phishing to trick people into providing sensitive details. For this reason, affected individuals should know that the breach alert is purely informative and it comes from the email address "firstname.lastname@example.org."