Marriott International Inc. has been investigating a hack involving unauthorized access to the guest reservation database at its Starwood unit since 2014, in what may be one of the biggest such data breaches.
The attack is troubling not just because of its sheer size, but also the level of detail potentially stolen by the attackers. The hack affects some 500 million guests, and for about 327 million of them, the data included passport numbers, emails and mailing addresses, Marriott said.
The Marriott hack may rank only below Yahoo as one of the biggest of personal data, when 3 billion users were exposed to a 2013 security breach. Marriott shares slumped 5.6 percent in pre-market trading.
Regulators and consumers have been stepping up their action against companies that have suffered security breaches as such attacks have increasingly become more severe. Target Corp. last year agreed to pay $18.5 million to settle investigations by dozens of states over a 2013 hack of its database in which the personal information of millions of customers was stolen, while Equifax is facing billion-dollar law suits and a regulatory investigation.
“The breach is so big that the company may face a large fine from the authorities and the market is factoring that in,” said Juan Jose Fernandez Figares, chief analyst at Link Securities in Madrid. “This is yet another company that has been hit by a hacking and a reminder to any company that manages customers’s personal data that they need to work harder to protect them from future attacks.”
Marriott’s statement indicates the hacking was going on years before the company acquired Starwood in a deal valued at about $13.6 billion that closed in September 2016. Marriott’s database contained guest information relating to reservations at Starwood properties on or before Sept. 10, 2018. For some, it also included payment card details, said Marriott, which didn’t identify who the perpetrators might be.
Athough Marriott said the details such as credit card numbers were encrypted, it has not been able to rule out the possibility that enough details were taken in order to decrypt this information.
The company has reported the incident to law enforcement and continues to support their investigation, and has also begun notifying regulatory authorities.