Massive data breach at Marriott's Starwood hotel impacts up to 500 million hotel guests

Posted at 7:15 AM, Nov 30, 2018
and last updated 2018-11-30 18:55:02-05

BETHESDA, Md. (AP) — The information of as many as 500 million people staying at Starwood hotels has been compromised and Marriott says it's uncovered unauthorized access that's been taking place within its Starwood network since 2014.

The company said Friday that credit card numbers and expiration dates of some guests may have been taken. For about 327 million people, the information exposed includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some guests, the information was limited to name and sometimes other data such as mailing address, email address or other information.

Marriott said that there was a breach of its database in September, which had guest information related to reservations at Starwood properties on or before Sept. 10.

Starwood operates hotels under the names: W Hotels, St. Regis, Sheraton Hotels & Resorts, Westin Hotels & Resorts, Element Hotels, Aloft Hotels, The Luxury Collection, Tribute Portfolio, Le Méridien Hotels & Resorts, Four Points by Sheraton and Design Hotels. Starwood branded timeshare properties are also included.

Marriott International Inc. discovered through the investigation that someone copied and encrypted guest information and tried to remove it.

Marriott and Starwood merged two years ago and attempts to combine the loyalty programs for the hotels have been marred by technical difficulties.

CEO Arne Sorenson said in a prepared statement Friday that Marriott is still trying to phase out Starwood systems.

"The scope is amazing," said Alan Crowetz, WPTV's Internet Security expert with Infostream. "I almost thought it was a mistake the scope is so large."

Crowetz said anyone who uses the same password for different accounts will be the most vulnerable.

"The first thing someone is going to do with a data base like this is try all the known banks and use the passwords and user names," Crowetz says.

Crowetz also offered this advice for creating a secure password:

  • At least 10 characters
  • At least one uppercase letter
  • At least one number and symbol

Marriott has set up a website and call center for anyone who thinks that they are at risk, and on Friday will begin sending emails to those affected.

Shares of Marriott tumbled 6 percent before the opening bell.

To see how often cyber attacks are being attempted, click here.