Marriott data breach hits 500 million Starwood hotel guests

Hackers stole personal information and some payment card data.

Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture, Video Games, Breaking News
Sean Keane
3 min read
Marriott International logo seen displayed on smart phone.

Marriott revealed a major data breach on Friday.

SOPA Images

Travelers, beware: Marriott has discovered a data breach that could impact up to 500 million guests.

The hotel group revealed Friday that hackers had compromised the guest reservation database of its Starwood division, whose brands include Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis. The problem affects people who had reservations at those properties up until Sept. 10 of this year.

Its Marriott-branded hotels use a separate reservation system on a different network.

An internal investigation found that the network was first breached in 2014 and that "an unauthorized party had copied and encrypted information." For around 327 million of those affected, that data included names, addresses, phone numbers, emails, passport numbers and travel details.

Data breaches have become an all too common problem for businesses and consumers alike, with no sign of slowing down. Last month, for instance, Hong Kong airline Cathay Pacific announced it suffered a data breach that impacted 9.4 million people. In September, Facebook revealed a breach that put the data of 50 million users at risk. And the ripple effects of older incidents continues to be felt: Just a month ago, Yahoo said it will have to pay $50 million in damages as part of a settlement following massive data breaches in 2013 and 2014.

Watch this: What we know -- and you should do -- about the Marriott hack

Lawmakers have taken notice, and they're looking for ways to press companies to accept more responsibility. In Congress, Sen. Ron Wyden has introduced a proposed Consumer Data Protection Act, which, among other things, would threaten CEOs with possible jail time if they're found to have lied about their data protection efforts.

In the UK, the Information Commissioner's Office said that Marriott had informed it of the breach and that it's making inquiries into the matter. The watchdog agency also addressed the victims of the breach.

"We advise people who may have been affected to be vigilant and to follow advice from the ICO and National Cyber Security Centre websites about how they can protect themselves and their data online," an ICO spokesman said in an emailed statement.

Meanwhile, New York's attorney general said in a tweet that her office has opened an investigation.

Marriott noted that some of the stolen information also included payment card numbers and expiration dates. Even though this data is normally encrypted, the company said the encryption key data might've been stolen too.

An internal security tool alerted Marriott to a potential breach on Sept. 8, but the company only determined the content of the stolen data on Nov. 19.

Marriott will start notifying affected guests via email from Friday, and it has set up an information website and call center. It's also offering guests in the US and some other countries a year's subscription to WebWatcher, a fraud detection service.

"We fell short of what our guests deserve and what we expect of ourselves," said Arne Sorenson, Marriott's president and CEO, in a release. "We are doing everything we can to support our guests, and using lessons learned to be better moving forward."

Starwood was previously impacted by a malware attack in 2016, the same year Marriott bought it for $13 billion. The following year, more than 1,200 properties run by the InterContinental Hotels Group fell victim to a three-month malware attack targeting payment card data.

20 times Hollywood got hacking right (and oh so wrong)

See all photos

First published at 5:11 a.m. PT.
Updated at 6:31 a.m. PT: Added more details about the Marriott breach.
Updated at 6:58 a.m. PT: Added New York AG's statement and background about recent data breaches.

Firefox warning: It'll let you know if the website you're visiting suffered a data breach.

Facebook breach: A vulnerability put the data of 50 million users at risk