A massive security breach of Marriott’s Starwood hotel reservation database has exposed the personal information – including passport numbers, birthdays, and in some cases credit card numbers – of as many as 500 million guests.

Unidentified hackers had had access to the hotel chain’s reservation database since 2014, Marriott International admitted, stating that management only discovered the breach after an internal security tool alerted them in September to an unauthorized attempt to access the Starwood database.

Read more

At least 327 million guests’ names, passport numbers, phone numbers, emails, and birthdays were exposed, and some guests had their credit card numbers and security codes stolen as well – but not to worry, Marriott says. That data was encrypted. “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken,” they admit.

For millions of others, up to an estimated total of 500mn guests, the stolen info was “limited” to name, contact data, and unspecified “other information.” Affected guests are being notified “on a rolling basis,” according to a press release, which is surely no comfort to those customers already infuriated that the hotel waited two months to notify them of the breach.

The statement left Marriott customers with a lot of unanswered questions, such as: How did it take them two months to figure out what data was accessed, and why did they wait another two weeks before informing those affected? But guests shouldn’t feel like the only ones left out of the loop. Marriott has only just begun informing regulators, though law enforcement, it seems, was told a bit earlier, as Marriott claims the company “continues to support their investigation.”

If history is any guide, @Marriott’s mega data breach will be treated like all the others: the company will apologize & offer useless credit monitoring to the victims impacted. The status quo isn’t working. — Ron Wyden (@RonWyden) November 30, 2018

Most companies bite the bullet and notify customers as soon as they discover a breach – particularly one of this magnitude, which dwarfs last year’s Hyatt and InterContinental hacks. Not Marriott, which has not even finished “identifying duplicate information in the database” – meaning more information could have been taken from more guests than they’ve let on.

Marriott acquired Starwood in 2016, meaning the breach had already occurred when they took possession of the brand, which includes the W, Sheraton, Westin, St. Regis, and Le Meridien chains. Marriott’s stock dropped six percent after the news broke on Friday.

We’ve opened an investigation into the Marriott data breach. New Yorkers deserve to know that their personal information will be protected. — NY AG Underwood (@NewYorkStateAG) November 30, 2018

A Marriott representative claimed the hack would not affect the company’s long-term financial health, though the company was consulting with its insurance carriers to assess liability. But by letting the personal information of even a single European customer leak without their consent, Marriott could have violated the GDPR, putting it on the hook for as much as four percent of its global revenues – to say nothing of potential class action suits from the rest of the hacking victims. New York, Maryland, and Pennsylvania State Attorneys General have already opened or announced plans to open investigations into the breach.

Think your friends would be interested? Share this story!