As many as half a billion Starwood hotel guests may have had their private data stolen in one of the largest hacks in corporate history, which its parent Marriott International said had exposed passport and credit card numbers.
The attack could be an important test case for Europe’s new data protection laws because Marriott, the world’s largest hotel group, said it had learnt of the breach of Starwood’s guest reservation database in September — but it only informed the public this week.
The General Data Protection Regulation requires companies to inform regulators within 72 hours of finding the breach, or face fines of up to 4 per cent of global revenue.
A subsequent investigation found the “unauthorised access” dated back to 2014, making it tough for the company to know exactly what could have been accessed in such a long period.
The hotelier said that about 327m of the 500m customers affected had some combination of their name, home address, telephone number, passport number, Starwood Preferred Guest reservation number, date of birth and other identifying information exposed.
While payment card numbers and expiry dates held on the Starwood database were encrypted, keys needed to decrypt this information may have been “taken” in the attack, Marriott added.
“We fell short of what our guests deserve and what we expect of ourselves,” said Arne Sorenson, Marriott chief executive. “We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”
The data breach appeared to be the largest since Yahoo disclosed last year that more than 3bn of its users were hacked in 2013.
In the US, attorneys-general from New York, Connecticut and Illinois said they were opening an investigation into the breach, while Senator Mark Warner said the hack showed that Congress needed to act to pass legislation to protect data and stop consumers shouldering the cost of breaches.
But Marriott could be more vulnerable in the EU, where a recently enacted data protection law could leave the company open to millions of dollars in fines. With global revenues of $22.9bn in 2017, Marriott could be fined up to around $900m.*
The hack would be by far the largest since the EU law came into effect in May, and the Information Commissioner’s Office in the UK, where Marriott’s European operations are based, said it was “making inquiries”.
Marriott said it believed that it had complied with all reporting requirements under the new law.
Its shares were down 5.7 per cent to $114.87 in late New York trading.
Marriott, which bought the Starwood chain in 2016 for $13.6bn, said that while it had first detected the breach in September, it only determined the extent of the problem last week, when it began notifying authorities.
Marriott said it was working with its insurance providers and expected to disclose costs related to the incident. But the company said it did not anticipate the breach to “impact its long-term financial health”.
Jason Hill, lead researcher at CyberInt, a company that monitors the so-called dark web often used by fraudsters to share information, said he had not seen Marriott customer data on any of the hidden websites he tracks.
“With that amount of stolen data, if they have a compete set of personal ID information and they have combined it with payment card [details], it has great resale value on the underground economy,” Mr Hill said. “But it would be too hot for someone to try and shift as one big block.”
There was a spate of hackers targeting hotels for credit card information and other customer data in 2014, when the Starwood breach apparently began. The initial attacks focused on spreading malicious software through point of sales systems, like those used by cashiers in retailers.
In February 2014, White Lodging Services Corporation, a hotel management company, reported a breach that began the previous year and affected Renaissance and Holiday Inn hotels.
In 2015, the company said it suspected breaches at more properties, the majority of which were Marriott hotels in the US. Later that year, Starwood announced point-of-sale system security issues at 70 hotels in the US, with some compromised the year before.
James Sullivan, a cyber security expert at the Royal United Services Institute, a London think-tank, said it was “concerning” that Marriott was not ruling out that encryption used to keep payment card details private may have been decrypted, “given the high levels of encryption we would expect them to have used”.
Matt Middleton-Leal, European general manager at IT software security company Netwrix, said Marriott’s statement that hackers may have taken decryption keys for payment card details suggested the hotel group had stored too much information on the same system.
“This is a very basic mistake,” he said. “It seems that this breach may have dated as far back as 2014, which suggests that the organisation’s detection capabilities are lacking,” he added.
*This article has been amended to correct the 2017 revenue number and associated potential fine