Breach, Content

Massive Marriott Starwood Data Breach Pressures MAR Stock

Marriott has disclosed a massive Starwood hotel data breach that may have impacted 500 million customers, according to the hotel giant. It may rank among the largest data breaches ever.

Marriott's stock (NYSE: MAR) fell roughly five percent on the news, reinforcing the fact that security breaches and data theft have a direct impact on brand perception and business performance. The company has notified regulators of the breach. It's too soon to say if or how Marriott will face fines related to GDPR and other compliance regulations.

Key Starwood Hotels brands include:

  • Westin
  • Sheraton
  • The Luxury Collection
  • Four Points by Sheraton
  • W Hotels
  • St. Regis
  • Le Méridien
  • Aloft
  • Element
  • Tribute Portfolio
  • Design Hotels

Marriott: Starwood Data Breach Details

The breach and unauthorized access to Starwood's reservation network apparently stretched from 2014 through November this year, Marriott disclosed today. Among the key findings so far, the company says:

  • On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States.
  • Marriott hired security experts to help determine what occurred.
  • Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.
  • The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it.
  • On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.
  • The total impact could involve information from 500 million guests who made a reservation at a Starwood property.
  • For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
  • For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).
  • Marriott reported this incident to law enforcement and continues to support their investigation. The company has already begun notifying regulatory authorities.

Next Steps: Marriott Starwood Data Breach Investigation

The investigation is ongoing. Stay tuned to MSSP Alert. We'll update this article throughout the day with more information about the breach and associated investigation.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.